fli4l – flexible internet router for linux Version 3.10.1 The fli4l-Team email: team@fli4l.
Contents 1. Documentation of the base package 1.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Setup and Configuration 2.1. Unpacking the archives . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1. Editing the configuration files . . . . . . . . . . . . . . . . . . . 2.2.2. Configuration via a special configuration file . . . . . . . . . . . 2.2.3. Variables . . . . .
Contents 4. Packages 4.1. Tools In The Package ’Base’ . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1. OPT_SYSLOGD – Logging system messages . . . . . . . . . . . . . 4.1.2. OPT_KLOGD – Logging kernel messages . . . . . . . . . . . . . . . 4.1.3. OPT_LOGIP – Logging WAN IP addresses . . . . . . . . . . . . . . 4.1.4. OPT_Y2K – Date correction for systems that are not Y2K-safe . . 4.1.5. OPT_PNP – Installation of ISAPnP tools . . . . . . . . . . . . . . . 4.2. Advanced Networking . . . . . . . .
Contents 4.9.5. OPT_RECOVER – Emergency Option . . . . . . . . . . . . . . . . . . 4.9.6. OPT_HDDRV - Additional Drivers For Harddisk Controllers . . . . . . 4.10. HTTPD - Webserver For Status-Display . . . . . . . . . . . . . . . . . . . . . . 4.10.1. OPT_HTTPD - Mini-Webserver As Status-Display . . . . . . . . . . . 4.10.2. User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.10.3. OPT_OAC - Online Access Control . . . . . . . . . . . . . . . . . . . . 4.11.
Contents 4.18.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.19. SSHD - Secure Shell, Secure Copy . . . . . . . . . . . . . . . . . . . 4.19.1. Installation Of The Secure-Shell-Daemon . . . . . . . . . . . 4.19.2. Installation Of Dbclient . . . . . . . . . . . . . . . . . . . . . 4.19.3. Installation Of A Plink Client . . . . . . . . . . . . . . . . . . 4.19.4. Installation Of A Sftp Server . . . . . . . . . . . . . . . . . . 4.19.5. Literature . . . . . . . . . . . . . . . . . . .
Contents 6. Connecting PCs in the LAN 6.1. IP address . . . . . . . . 6.2. Host and domain name 6.2.1. Windows 2000 . 6.2.2. NT 4.0 . . . . . . 6.2.3. Win95/98 . . . . 6.2.4. Windows XP . . 6.2.5. Windows 7 . . . 6.2.6. Windows 8 . . . 6.3. Gateway . . . . . . . . . 6.4. DNS server . . . . . . . 6.5. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 8.3.13. Source Code . . . . . . . . . . . . . . . . 8.3.14. More Files . . . . . . . . . . . . . . . . . . 8.4. Creating Scripts for fli4l . . . . . . . . . . . . . . 8.4.1. Structure . . . . . . . . . . . . . . . . . . 8.4.2. Handling of Configuration Variables . . . 8.4.3. Persistent Data Storage . . . . . . . . . . 8.4.4. Debugging . . . . . . . . . . . . . . . . . . 8.4.5. Hints . . . . . . . . . . . . . . . . . . . . 8.5. Using The Packet Filter . . . . . . . . . . . . . . 8.5.1.
Contents A.9.4. Sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 A.10.Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 B. Appendixes to optional packages B.1. CHRONY - Inform other applications about timewarps . . . . . . . B.2. DSL - PPPD and Active Filter . . . . . . . . . . . . . . . . . . . . . B.3. DYNDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3.1. Adding Of New Providers . . . . . . . . . . . . .
1. Documentation of the base package 1.1. Introduction fli4l is a Linux-based router, capable of handling ISDN, DSL, UMTS, and ethernet connections, with little hardware requirements: an USB stick used for booting, an Intel Pentium MMX processor, 64 MiB RAM as well as (at least) one ethernet network adapter are completely sufficient. The necessary boot medium can be created under Linux, Mac OS X or MS Windows. You don’t need any specific Linux knowledge, but it is definitely helpful.
1.
1. Documentation of the base package – Execution of user-defined commands on incoming phone calls (e.g. to perform Internet dial-up) – Support for IP aliasing (multiple IP addresses per network interface) – VPN support – IPv6 support – WLAN support: fli4l can be an access point as well as a client – RRD tool for monitoring the fli4l – and much more. . .
2. Setup and Configuration 2.1. Unpacking the archives Under Linux: tar xvfz fli4l-3.10.1.tar.gz If this does not work, try the following: gzip -d < fli4l-3.10.1.tar.gz | tar xvf If you unpack the current version into a directory which already contains fli4l files from a previous installation, you should execute mkfli4l.sh -c: cd fli4l-3.10.1 sh mkfli4l.sh -c However, we recommend to use a fresh directory for a new version as you can easily take over the configuration with a file comparing tool.
2. Setup and Configuration – img/kernel Linux kernel – img/boot*.msg bootscreen texts • Additional packages: – opt/*.txt These ones describe which files will be included in the opt.img archive.
2. Setup and Configuration 2.2.2. Configuration via a special configuration file Due to the module concept of fli4l, the configuration is distributed across different files. As editing these separate files may become tedious, it is possible to store the configuration into a single file called config directory¡/_fli4l.txt. This file is read in addition to the other configuration files and its contents override any settings found in the other configuration files.
2. Setup and Configuration Before you try the more advanced installation procedures you should make yourself comfortable with fli4l by setting up a minimal version. If you want to use your fli4l as an answering machine or a HTTP-proxy later on, you already feel confident and have the experience of setting up a basic running system.
2. Setup and Configuration is the smallest, such that running the router with very low memory is possible in the majority of cases. You can find further information on the hard disk installation in the documentation of the HD package (a separate download) starting at the description of the configuration variable OPT_HDINSTALL.
3. Base configuration Since fli4l 2.0 the distribution is designed to be modular and consists of multiple packages which have to be downloaded separately. The package fli4l-3.10.1.tar.gz contains only the base software for a pure ethernet router. For DSL, ISDN, and other software you will have to download further packages and extract them into the directory fli4l-3.10.1/.
3. Base configuration Table 3.1.: Overview of additional packages Archive to download fli4l-3.10.1 kernel_3_14 kernel_3_14_virt kernel_3_14_nonfree kernel_3_14_virt_nonfree fli4l-3.10.1-doc advanced_networking chrony dhcp_client dns_dhcp dsl dyndns easycron hd httpd imonc_windows imonc_unix ipv6 isdn lcd lpdsrv openvpn pcmcia ppp proxy qos sshd tools umts usb wlan Package BASE, required! Kernel 3.14.z, recommended Kernel 3.14-virt, alternative, for use in virtual environments Kernel 3.
3. Base configuration ## ##----------------------------------------------------------------------------## Creation: 26.06.2001 fm ## Last Update: $Id: base.txt 36670 2015-01-24 23:48:42Z kristov $ ## ## Copyright (c) 2001-2014 - Frank Meyer, fli4l-Team
3.
3. Base configuration IP_ROUTE_2='0.0.0.0/0 192.168.6.
3. Base configuration PF_OUTPUT_N='0' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet # number of OUTPUT rules PF_POSTROUTING_N='1' # number of POSTROUTING rules PF_POSTROUTING_1='IP_NET_1 MASQUERADE' # masquerade traffic leaving the subnet PF_PREROUTING_N='0' # number of PREROUTING rules PF_PREROUTING_1='1.2.3.4 dynamic:22 DNAT:@client2' # forward ssh connections coming from 1.2.3.
3. Base configuration IMOND_PORT='5000' IMOND_PASS='' IMOND_ADMIN_PASS='' IMOND_LED='' IMOND_BEEP='no' IMOND_LOG='no' IMOND_LOGDIR='auto' IMOND_ENABLE='yes' IMOND_DIAL='yes' IMOND_ROUTE='yes' IMOND_REBOOT='yes' # # # # # # # # # # # # port (tcp), don't open it to the outside imond-password, may be empty imond-admin-password, may be empty tty for led: com1 - com4 or empty beep if connection is going up/down log /var/log/imond.log: yes or no log-directory, e.g.
3. Base configuration #-----------------------------------------------------------------------------# Optional package: PNP #-----------------------------------------------------------------------------#OPT_PNP='yes' # install isapnp tools: yes or no Please note that this file is stored with DOS line endings, i.e. each line contains an additional carriage return (CR) at the end.
3. Base configuration hd Choose this to boot from a hard disk. You will find more information in the Documentation (Page 118) of the HD package. cd Choose this to boot from CD-ROM. With this setting, the ISO image fli4l.iso will be created which you have to burn onto CD with your favourite CD burning application. Please pay attention to choosing the right driver for your CD drive. integrated Choose this if you do not plan to use a conventional boot medium but e.g. want to boot over a network.
3. Base configuration This variable controls how LONG the syslinux boot loader should wait until the default installation is booted automatically. The OPT_RECOVER variable of the HD package allows you to activate a function which enables you to create a recovery installation from a working installation. This recovery installation can be activated in the boot menu by choosing the recovery version.
3. Base configuration COMP_TYPE_ROOTFS Default setting: COMP_TYPE_ROOTFS=’xz’ This variable selects the compression method to be used for the RootFS archive. Possible values are ’xz’, ’lzma’, and ’bzip2’. COMP_TYPE_OPT Default setting: COMP_TYPE_OPT=’xz’ This variable selects the compression method to be used for the OPT archive. Possible values are ’xz’, ’lzma’, and ’bzip2’.
3. Base configuration Table 3.2.: Automtically generated maximum number of simultaneous connections RAM in MiB simultaneous connections 16 1024 24 1280 32 2048 64 4096 128 8192 or ip_conntrack: Maximum limit of XXX entries exceeded The variable IP_CONNTRACK_MAX changes the maximum number of simultaneously existing connections to a fixed value. Each possible connection consumes 350 bytes of RAM, which cannot be used for other things. If you e.g.
3. Base configuration 3.3. Console settings CONSOLE_BLANK_TIME Defaut Setting: CONSOLE_BLANK_TIME=” Typically, the Linux kernel activates the console’s screen saver after some time without console input activity. The variable CONSOLE_BLANK_TIME allows you to configure the timeout to be used or to disable the screen saver completely (CONSOLE_BLANK_TIME=’0’). BEEP Defaut Setting: BEEP=’yes’ Causes a beep at the end of the boot or shutdown process.
3. Base configuration 3.4. Hints To Identify Problems And Errors fli4l logs all output produced while booting into the file (/var/tmp/boot.log). After the boot process has finished you can review this file at the console or using the web interface. Sometimes it is useful to generate a more detailed trace of the start sequence, e.g. to analyze the boot process in case of problems. The variable DEBUG_STARTUP exists for this very reason.
3. Base configuration The device denotes the terminal used for program input/output. Possible devices are terminals tty1-tty4 or serial terminals ttyS0-ttySn with n the number of available serial ports. The possible actions are typically askfirst or respawn. Using askfirst lets “init” wait for a keypress before running that command. The respawn action causes the command to be automatically restarted whenever it terminates. command specifies the program to execute. You have to use a fully qualified path.
3. Base configuration • Copy the keyboard layout map you have just created to your fli4l directory under opt/etc/ locale¡.map. If you now set KEYBOARD_LOCALE=’ locale¡’, your freshly created keyboard layout will be used when building the fli4l images the next time. • Don’t forget to set OPT_MAKEKBL to ‘no’ again. 3.7. Ethernet network adapter drivers NET_DRV_N Number of needed network adapter drivers.
3. Base configuration No space is allowed before or after the comma! This does not work with all network adapter drivers. Some of them need to be loaded twice, i.e. you have to use NET_DRV_N=’2’. In this case you will have to assign different names to the adapters by using the “-o” option, e.g.
3. Base configuration NET_DRV_1='wd' NET_DRV_1_OPTION='io=0x270' NET_DRV_2='ne2k' NET_DRV_2_OPTION='io=0x240' You can find complete lists of available drivers in the Table of available network adapter drivers and in the Table of available WLAN adapter drivers. If you need a dummy device, use ’dummy’ as your NET_DRV_x and IP_NET_x_DEV (Page 40)=’dummy number¡’ as your device. x Kernel 3.
3. Base configuration Bus NET_DRV_x Adapter family x x Kernel 3.
3. Base configuration Bus NET_DRV_x Adapter family x x Kernel 3.
3. Base configuration x Kernel 3.
3. Base configuration x Kernel 3.
3. Base configuration Kernel x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 3.14 v n x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 3.
3. Base configuration you want the router to receive its IP address dynamically via a DHCP-client it is possible to set this variable to ’dhcp’. The following table shows how the CIDR notation and the dot notation for net masks are connected. CIDR Net mask Number of IP addresses /8 255.0.0.0 16777216 /16 255.255.0.0 65536 /23 255.255.254.0 512 /24 255.255.255.0 256 /25 255.255.255.128 128 /26 255.255.255.192 64 /27 255.255.255.224 32 /28 255.255.255.240 16 /29 255.255.255.248 8 /30 255.255.255.
3. Base configuration IP_NET_x_MAC Default Setting: IP_NET_1_MAC=” Optional: MAC address of the network adapter. With this variable you are able to change the hardware address (MAC) of your network adapter. This is useful if you want to use a DHCP provider expecting a certain MAC address. If you leave IP_NET_x_MAC empty or remove the variable definition completely, the original MAC address of your network adapter will be used. Most users will never need to use this variable.
3. Base configuration In this case, network is the network address, /netmaskbits the net mask using the CIDR (Page 40) notation and gateway the address of the router needed for accessing the other network. Obviously, the gateway and the fli4l router are required to be in the same network! For example, if the network 192.168.7.0 with net mask 55.255.255.0 can be accessed through the gateway 192.168.6.99 you have to add the following entry: IP_ROUTE_N='1' IP_ROUTE_1='192.168.7.0/24 192.168.6.
3. Base configuration Figure 3.1.
3. Base configuration • source (source address, source port or both) • destination (destination address, destination port or both) • protocol • interface on which the packet comes in or goes out • MAC-address of the originating PC • state of the packet or the connection the packet comes from If a packet comes in, the entries resp. the resulting rules generated are processed from top to bottom and the first action to which all conditions apply is performed.
3. Base configuration Action DNAT chain(s) PREROUTING REDIRECT PREROUTING OUTPUT NETMAP PREROUTING POSTROUTING Meaning Replace destination address and destination port of the packet by the address specified as a parameter for SNAT (for all packets belonging to the connection in consideration). Replace destination port of the packet by the address specified as a parameter for SNAT (for all packets belonging to the connection in consideration). Copy destination resp.
3. Base configuration Expression port[-port] IP_NET_x_IPADDR IP_NET_x IP_ROUTE_x @name :port[-port] Meaning a port resp. a port range the IP address of the x router’s interface the x router’s subnet the subnet x specified in the route (default routes can’t be used, they would match any and are excluded precautiously) one of the names or aliases set via HOST_%_*; the associated IP address will be filled in here Host- resp.
3. Base configuration Interface Constraints A rule can be restricted concerning the Interface on which a packet was received resp. will be transmitted. The format is as follows: if:in:out In the INPUT-chain the interface for outbound packets is not restrictable (the packet does not leave anyway), in the POSTROUTING-chain the interface for received packets is not restrictable, because the informations about it do not exist anymore. Only in the FORWARD-chain constraints for both can be defined.
3. Base configuration State INVALID ESTABLISHED NEW RELATED Meaning The packet does not belong to a know connection. The packet belongs to a connection, where packets have already been transmitted in both directions. The packet has established a new connection or belongs to a connection that did not have packets transmitted in both directions. The packet establishes a new connection, but has a relation to an already existing connection (i.e. ftp establishes a separate connection for data transfer).
3. Base configuration For which services rules are predefined (e.g. templates exist) can be seen in the template file at opt/etc/fwrules.tmpl/templates. A list in a table follows (see table 3.8).
3.
3. Base configuration Instead of using an IP address we use an entry from the HOST_%_NAME-array. dynamic tells the fli4l to forward all ports from the internet interface. The second rule forwards the https-protocol to a webserver in a DMZ (Demilitarized Zone).
3. Base configuration prot:tcp prot:tcp 53 prot:udp prot:tcp prot:tcp 22 25 137-138 139 445 Every time you use the template vpn_friends rules will be created for all contained protocols and ports. PF_FORWARD_x='tmpl:vpn_friends ACCEPT' will create theses FORWARD-rules: prot:tcp 22 ACCEPT prot:tcp 25 ACCEPT 53 ACCEPT prot:udp 137-138 ACCEPT prot:tcp 139 ACCEPT prot:tcp 445 ACCEPT 3.10.4.
3. Base configuration PF_INPUT_ACCEPT_DEF If this variable is set to ‘yes’ default rules will be generated needed for the correct function of the router. Use ‘yes’ as a default here. If you want to configure the router’s behaviour completely yourself you may enter ‘no’ here but you will have to define all rules on your own then.
3. Base configuration PF_INPUT_ICMP_ECHO_REQ_LIMIT Defines how often fli4l should react to a ICMPEcho-request.The frequency is described as n/time units with bursts in analog to the limit constraints, e.g. 3/minute:5. If the limit is reached packets will be ignored (DROP). If this entry is empty a default of 1/second:5 is used, if set to none, the limit constraints are disabled. PF_INPUT_ICMP_ECHO_REQ_SIZE Defines the allowed size of an ICMP-Echo-request (in bytes).
3. Base configuration PF_FORWARD_LOG Defines if rejected packets should be logged by the kernel. Log output can be directed to the syslog deamon by activating OPT_KLOGD. PF_FORWARD_LOG_LIMIT Defines how often log entries will be generated. The frequency is described as n/time units with bursts in analog to the limit constraints, e.g. 3/minute:5. If this entry is empty a default of 1/second:5 is used, if set to none, the limit constraints are disabled.
3. Base configuration PF_OUTPUT_LOG Defines if rejected packets should be logged by the kernel. Log output can be directed to the syslog deamon by activating OPT_KLOGD. PF_OUTPUT_LOG_LIMIT Defines how often log entries will be generated. The frequency is described as n/time units with bursts in analog to the limit constraints, e.g. 3/minute:5. If this entry is empty a default of 1/second:5 is used, if set to none, the limit constraints are disabled.
3. Base configuration The NAT-Chains (Network Address Translation) Packets still can be changed after the routing decision. For example they may get a new target address to be forwarded to another computer (port forwarding) or a new source address may be inserted to mask the network behind the router. Masquerading is used i.e. to provide internet access for a private net over one public IP or a in DMZ-setup to hide the structure of the local net from computers in the DMZ.
3. Base configuration REDIRECT behaves like DNAT, with the exception that the target-IP-address is always set to 127.0.0.1 thus delivering the packet locally. This is needed e.g. for transparent proxies, see OPT_TRANSPROXY (Page 191). If you want a port forwarded to an interface with a dynamic address you do not know to which IP the packet should be sent (at the time of configuration).
3. Base configuration PF_FORWARD_POLICY='REJECT' PF_FORWARD_ACCEPT_DEF='yes' PF_FORWARD_LOG='no' PF_FORWARD_N='2' PF_FORWARD_1='tmpl:samba DROP' PF_FORWARD_2='IP_NET_1 ACCEPT' Note the dependance on the order of rules: At first the NetBIOS-packets are dropped and afterwards the packets of the local net are accepted.
3. Base configuration PF_FORWARD_POLICY='REJECT' PF_FORWARD_ACCEPT_DEF='yes' PF_FORWARD_LOG='no' PF_FORWARD_N='2' PF_FORWARD_1='if:any:pppoe tmpl:samba DROP' PF_FORWARD_2='192.168.6.0/23 ACCEPT' PF_POSTROUTING_N='1' PF_POSTROUTING_1='if:any:pppoe MASQUERADE' Packets going out over the pppoe-interface and those addressed to udp-ports 137-138 or to tcp-ports 139 and 445 will be dropped (rule 1), all other packets from subnet 192.168.6.0/23 will be forwarded (rule 2). Route Network Let’s add a net 10.0.0.
3. Base configuration Blacklists, Whitelists Blacklists (a machine in this list is forbidden to do something) and Whitelists (a machine in this list is allowed to do something) are defined in a very similarl way. Rules are written that are very special at the beginning and to the end are becoming more universal. With a blacklist rules are defined that at the beginning forbid something and at the end allow something to all not previously mentioned. With a Whitelist it is exactly the other way round.
3.
3.
3.
3. Base configuration PF_POSTROUTING_x='any @proxy:3128 SNAT:IP_NET_1_IPADDR' # change all packets to port 3128 in a way as if they came from # fli4l (IP_NET_1_IPADDR) PF_FORWARD_x='prot:tcp @proxy 80 ACCEPT' # let HTTP-packets from the proxy pass the FORWARD-chain (if necessary) ... If more nets or conflicting port forwardings (which are also DNAT-rules) exist, the rules may have to be more differentiated.
3. Base configuration You may continue here forever. . . 3.10.7. DMZ – Demilitarized Zone fli4l may also serve to build a DMZ. As this is only another additional ruleset for the router please refer to the wiki at https://ssl.nettworks.org/wiki for the time being. 3.10.8. Conntrack-Helpers Using IP-Masquerading has the advantage that a bunch of machines in the LAN can be routed over only one official IP-address. However, there are also disadvantages that you have to take into account.
3. Base configuration By this rule it is expressed that all FTP connections coming from the DSL interface (pppoe) are associated to the conntrack helper. If the router is not dialing, but e.g. is behind another router (Fritz! box, cable modem, a.s.o.
3. Base configuration PF_PREROUTING_CT_N PF_PREROUTING_CT_x PF_PREROUTING_CT_x_COMMENT List of rules that describe which incoming packets are associated with conntrack helpers by the router. PF_OUTPUT_CT_ACCEPT_DEF If this variable is set to ‘yes’, default rules are generated that are necessary for proper functioning of the router. By default, you should use ‘yes’ here.
3. Base configuration are set to ‘yes’, you need to fill this variable with a valid DNS server address as otherwise no DNS resolution will be possible directly after the router has booted. Exception: If you use fli4l as a local router without a connection to the Internet or other (company) networks with DNS servers, you should set this variable to ‘127.0.0.1’ in order to disable DNS forwarding completely.
3. Base configuration control whether providing the user password is sufficient to execute the control commands like Dial, Hangup, Reboot, or Changing the Default Route, or whether you need a special admin password for these requests (see below). IMOND_ADMIN_PASS Default setting: IMOND_ADMIN_PASS=” Using the Admin Passwords the client receives all the rights and can thus use all control functions of the server imond – regardless of the content of the variables IMOND_ENABLE, IMOND_DIAL etc.
3. Base configuration Table 3.10.
3. Base configuration DIALMODE fli4l’s default dial mode is ‘auto’, i.e. fli4l dials automatically if an IP packet has to be routed to an IP address outside the LAN. However, you may also set the dial mode to ‘manual’ or ‘off’. In these cases, dialing to establish a connection is only possible using the imonc client or the Web-Interface.
4. Packages Besides the BASE installation there are also packages. Each package contains one or more “OPTs” 1 which can be installed in addition to the base installation. Some of the OPTs are part of the BASE package, other have to be downloaded separately. The download site (http:// www.fli4l.de/en/download/stable-version/) gives an overview over the packages provided by the fli4l team, the OPT database (http://extern.fli4l.de/fli4l_opt-db3/) contains packages offered by other authors.
4. Packages If you have a so-called “log host” in your network you can redirect the Syslog messages to that host if you supply its IP address. Beispiel: SYSLOGD_DEST_1='*.* @192.168.4.1' The “@” sign has to be prepended to the IP address. If you want the Syslog messages to be delivered to multiple destinations it is necessary to increase the variable SYSLOGD_DEST_N (number of destinations used) accordingly and to fill the variables SYSLOG_DEST_1, SYSLOG_DEST_2 etc. with appropriate content. The syntax ‘*.
4. Packages SYSLOGD_ROTATE_DIR The optional variable SYSLOGD_ROTATE_DIR lets you specify the directory where the archived Syslog files should be stored. Leave it empty to use the default directory /var/log. SYSLOGD_ROTATE_MAX The optional variable SYSLOGD_ROTATE_MAX lets you specify the number of archived/rotated Syslog files. SYSLOGD_ROTATE_AT_SHUTDOWN With the optional variable SYSLOGD_ROTATE_AT_SHUTDOWN you can disable the rotate of syslog files at shutdown.
4. Packages Y2K_DAYS – add N days to the system date Because the BIOS date differs from the actual one by exactly 2191 days, the setting Y2K_DAYS='2191' causes the fli4l router to add 2191 days to the BIOS date before using it as the Linux system date The BIOS date is left untouched because otherwise the year would be wrong (2094 or 1994, resp.) again after the next boot. There is an additional alternative: Using a time server, fli4l is able to fetch the current date and time from the Internet.
4. Packages 1) – Here, you can choose the I/O „BASE“ address. This address must lie between the minimum and maximum address and conform to the „base alignment“. If your system uses more than one ISA adapter, you will have to ensure that there are no overlaps between address ranges. The address range starts at „BASE“ and ends at „BASE + Number of IO addresses required“. 2) – Here you can pick an IRQ from the list shown.
4. Packages Very unusual problems can appear especially using EBTables without perfectly knowing the diverse operational modes of layer 2 and 3. Some filtering rules of the packet filter will work completely different with EBTables support enabled. 4.2.1. Broadcast Relay - Forwarding of IP Broadcasts Using a Broadcast Relay, IP broadcasts can surpass interface boundaries. This is necessary for applications which determine network devices using broadcasts (eg QNAP Finder).
4. Packages OPT_BONDING_DEV Default: OPT_BONDING_DEV=’no’ ’yes’ activates the bonding package, ’no’ deativates the bonding package completely. BONDING_DEV_N Default: BONDING_DEV_N=’0’ Number of bonding devices to be configured. BONDING_DEV_x_DEVNAME Default: BONDING_DEV_x_DEVNAME=” Name of the bonding device to be created. It should consist of the prefix ’bond’ and a trailing number with out a leading ’0’. The numbers of the bonding devices don’t have to start with ’0’ and need not be consecutive.
4. Packages balance-alb Adaptive load balancing: includes both balance-tlb, and inbound load balancing (rlb) for IPV4 traffic and needs no special requirements on the Switch. Load Balancing for incoming traffic is achieved through ARP requests. The bonding driver catches ARP responses from the server on their way outside and overrides the source hardware address with the unique hardware address of a slave in the bond. This way different clients use different hardware addresses for the server.
4. Packages This setting is optional and can also be completely omitted. A bonding device defaults to the MAC address of the first physical device which is used for bonding. If you do not want this it is possible to specify a MAC address the bonding device should use here. BONDING_DEV_x_MIIMON Default: BONDING_DEV_x_MIIMON=’100’ This setting is optional and can also be completely omitted.
4. Packages BONDING_DEV_x_PRIMARY Default: BONDING_DEV_x_PRIMARY=” This setting is optional and can also be completely omitted. Specify primary output device if mode is set to ’active-backup’. This is useful if the various devices have different speeds. Provide a string (for example ’eth0’) for the device to be used primarily. If a value is entered and the device is online it will be used as the first output medium. Only if the device is offline another device will be used.
4. Packages to work with VLANs should ensure that the respective Linux NIC drivers support VLANs correctly. OPT_VLAN_DEV Default: OPT_VLAN_DEV=’no’ ’yes’ activates the VLAN package, ’no’ deactivates it. VLAN_DEV_N Default: VLAN_DEV_N=” Number of VLAN devices to configure. VLAN_DEV_x_DEV Default: VLAN_DEV_x_DEV=” Name of the device connected to a VLAN capable switch (iE ’eth0’, ’br1’, ’eth2’...). VLAN_DEV_x_VID Default: VLAN_DEV_x_VID=” The VLAN ID for which the appropriate VLAN device should be created.
4. Packages DEV_MTU_N='1' DEV_MTU_1='eth0 1496' 4.2.5. BRIDGE - Ethernet Bridging for fli4l This is a full-fledged ethernet-bridge using spanning tree protocol on demand. For the user the Computer seems to work as a layer 3 switch on configured ports. Further information on bridging can be found here: • Homepage of the Linux Bridging Project: http://bridge.sourceforge.net/ • The detailed and authoritative description of the bridging standards: http://standards.ieee.org/getieee802/download/802.1D-2004.pdf.
4. Packages BRIDGE_DEV_x_DEVNAME Default: BRIDGE_DEV_x_DEVNAME=” Each bridge device needs a name in the form of ’br number¡’. number¡ can be a number between ’0’ and ’99’ without leading ’0’. Possible entries could be ’br0’, ’br9’ or ’br42’. Names can be chosen arbitrary, the first bridge may be ’br3’ and the second ’br0’. BRIDGE_DEV_x_DEV_N Default: BRIDGE_DEV_x_DEV_N=’0’ How many network devices belong to the bridge? The count of devices that should be connected to the bridge.
4. Packages BRIDGE_DEV_x_PRIORITY Default: BRIDGE_DEV_x_PRIORITY=” This setting is optional and can also be completely omitted. Only valid if BRIDGE_DEV_x_STP=’yes’ is set! Which priority has this bridge? The bridge with the lowest priority wins the main bridge election. Each bridge should have a different priority.
4. Packages BRIDGE_DEV_x_DEV_x_PATHCOST Default: BRIDGE_DEV_x_DEV_x_PATHCOST=’100’ This setting is optional and can also be completely omitted. Only valid if BRIDGE_DEV_x_STP=’yes’ is set! Indirectly specifies the bandwidth for this connection. The lower the value the higher is the bandwidth and therefore the connection gets a higher priority. The calculation base proposed is 1000000 kbit/s which leads to the traffic costs listed in table 4.1.
4. Packages ebtables.post in the directory config/ebtables. Ebtables.pre will get executed before and ebtables.post after configuring the netfilter. Please remember that an error in the ebtables scripts may interrupt the boot process of the fli4l-router! Before using EBTables you should definitely read the complete documentation. By using EBTables the complete behavior of the router may change! Especially filtering by mac: in PF_FORWARD will not work as before.
4. Packages Further informations about ethtool can be found here: http://linux.die.net/man/8/ethtool 4.2.9. Example For understanding a simple example is certainly helpful. In our example we assume 2 parts of a building which are connected by 2 x 100 Mbit/s lines. Four separate networks should be routed from one building to the other.
4. Packages BRIDGE_DEV_2_DEV_1='bond0.22' BRIDGE_DEV_2_DEV_2='eth3' BRIDGE_DEV_3_NAME='_VLAN33_' BRIDGE_DEV_3_DEVNAME='br33' BRIDGE_DEV_3_DEV_N='2' BRIDGE_DEV_3_DEV_1='bond0.33' BRIDGE_DEV_3_DEV_2='eth4' BRIDGE_DEV_4_NAME='_VLAN44_' BRIDGE_DEV_4_DEVNAME='br44' BRIDGE_DEV_4_DEV_N='2' BRIDGE_DEV_4_DEV_1='bond0.44' BRIDGE_DEV_4_DEV_2='eth5' As a result all 4 Nets are connected with each other absolutely transparent and share the 200 Mbit/s connection.
4. Packages Only time servers in the internet which are reachable by the default route (0.0.0.0/0) can be used, because only the default route changes chrony into online mode. As an ethernet router with no DSL or ISDN circuits configured, chrony acts permanently in online mode. Disclaimer: The author gives neither a guarantee of functionality nor is he liable for any damage or the loss of data when using OPT_CHRONY. 4.3.1.
4. Packages 4.3.2. Support Support is only given in the fli4l Newsgroups (Page 92). 4.3.3. Literature Homepage of chrony: http://chrony.tuxfamily.org/ NTP: The Network Time Protocol: http://www.ntp.org/ pool.ntp.org: public ntp time server for everyone: http://www.pool.ntp.org/en/ RFC 1305 - Network Time Protocol (Version 3) Specification, Implementation: http://www.faqs.org/rfcs/rfc1305.html fli4l Newsgroups and the rules: http://www.fli4l.de/hilfe/newsgruppen/ 4.4.
4. Packages Default Setting: DHCP_CLIENT_x_ROUTE=’default’ DHCP_CLIENT_x_USEPEERDNS If this variable is set to ’yes’ and the device has a defaultroute assigned, then the ISP’s DNS server is used as a DNS forwarder on this route. Make sure to activate DNS forwarding - see base.txt. Default Setting: DHCP_CLIENT_x_USEPEERDNS=’no’ DHCP_CLIENT_x_HOSTNAME Some ISPs require a hostname to be forwarded. Ask your ISP for this and list it here. It does not have to be identical to the router hostname.
4. Packages IP4 – IP address (ipv4) of the n’th host IP6 – IP address (ipv6) of the n’th host (optional). If you use “auto”, then the address will be computed automatically – either the address ::ffff: will be used, or (if you activate OPT_IPV6) a “proper” IPv6 address will be set, consisting of an IPv6 prefix (with /64 subnet mask) and the MAC address of the corresponding host. In order to make this work, you will have to set HOST_x_MAC (see below) and to properly configure the “ipv6” package.
4. Packages General DNS-options DNS_BIND_INTERFACES If you choose ‘yes’ here, dnsmasq does not listen on all IPaddresses and only binds and listens to IP-addresses defined in DNS_LISTEN. With option ‘no’ dnsmasq listens on all interfaces and IP-addresses, discarding request it normally should not react to. This is a problem if you like to use several DNS-servers on different IP-addresses. Additional DNS-servers on fli4l can be necessary i.e. if you need a slave-dns on fli4l.
4. Packages DNS_REDIRECT_N='1' DNS_REDIRECT_1='yourdom.dyndns.org' DNS_REDIRECT_1_IP='192.168.6.200' This redirects a query of yourdom.dyndns.org to IP 192.168.6.200. DNS_BOGUS_PRIV If you set this variable to ‘yes‘, reverse-lookups for IP-Addresses of RFC1918 (Private Address Ranges) are not redirected to other DNS-servers but rather answered by the dnsmasq. DNS_FILTERWIN2K If this is set to ’yes’ DNS queries of type SOA, SRV, and ANY will be blocked.
4. Packages simply be switched off, so that the polling software has to deal with hosts not responding anyway. DNS_SUPPORT_IPV6 (optional) Setting this optional variable to ’yes’ enables the support for IPV6 Addresses of the DNS server. DNS Zone Configuration Dnsmasq can also manage a DNS domain autonomously, being “authoritative” for it.
4. Packages Example: DNS_AUTHORITATIVE_IPADDR='IP_NET_2_IPADDR' DNS_ZONE_NETWORK_N DNS_ZONE_NETWORK_x Specify the network addresses here for which the dnsmasq should resolve names authoritatively. Both forward (name to address) and reverse lookup (address to name) will work. A complete example: DNS_AUTHORITATIVE='yes' DNS_AUTHORITATIVE_NS='fli4l.noip.
4. Packages ISDN_CIRC_1_ROUTE='0.0.0.0' ISDN_CIRC_2_ROUTE='0.0.0.0' We set a default route on both circuits and switch the route with the imond-client then - as desired. Also in this case set DNS_ZONE_DELEGATION_N and DNS_ZONE_DELEGATION_x_DOMAIN_x as described above. If you want the reverse DNS resolution for such a network (e.g. an mail server will need this) you can provide the optional variable DNS_ZONE_DELEGATION_x_NETWORK_x, which lists the networks for active Reverse-Lookup.
4. Packages DNS_REBINDOK_N='8' DNS_REBINDOK_1_DOMAIN='rfc-ignorant.org' DNS_REBINDOK_2_DOMAIN='spamhaus.org' DNS_REBINDOK_3_DOMAIN='ix.dnsbl.manitu.net' DNS_REBINDOK_4_DOMAIN='multi.surbl.org' DNS_REBINDOK_5_DOMAIN='list.dnswl.org' DNS_REBINDOK_6_DOMAIN='bb.barracudacentral.org' DNS_REBINDOK_7_DOMAIN='dnsbl.sorbs.net' DNS_REBINDOK_8_DOMAIN='nospam.login-solutions.de' 4.5.3. DHCP-server OPT_DHCP With OPT_DHCP you can activate the DHCP-server.
4. Packages DHCP_RANGE_x_START sets the first IP-Address that can be used. DHCP_RANGE_x_END sets the last assignable IP-Address. Both variables DHCP_RANGE_x_START and DHCP_RANGE_x_END could be left empty, so there will be no DHCP-Range, but hosts with MAC assignments will receive their values from the other variables. DHCP_RANGE_x_DNS_SERVER1 sets the addresse of the DNS-server for DHCP-hosts of the network. This variable is optional. If left empty or omitted, the IP-address of the matching network is used.
4. Packages Not allowed DHCP-clients DHCP_DENY_MAC_N Number of MAC-Addresses of hosts which should be rejeced. DHCP_DENY_MAC_x MAC-Address of the host which should be rejeced. Support For Network Booting The dnsmasq supports clients booting by Bootp/PXE over the network. The needed informations for this are provided by dnsmasq and are configured per subnet and host.
4. Packages • relay with two interfaces • interface to the clients: eth0, 192.168.6.1 • interface to the DHCP-server: eth1, 192.168.7.1 • DHCP-server: 192.168.7.2 A route on the DHCP server has to exist over which the answers to 192.168.6.1 can reach their destination. If the router on which the relay is running is the default gateway for the DHCP server everything os fine already. If not, an extra route is needed. If the DHCP server is a fli4l ythe following config variable is sufficient: IP_ROUTE_x=’192.
4. Packages YADIFA_ALLOW_QUERY_N YADIFA_ALLOW_QUERY_x Sets the IP addresses and nets that are allowed to access YADIFA. This setting will be used by YADIFA to configure fli4l’s packet filter accordingly and to generate the configuration files for YADIFA. By the prefix “!” acces to YADIFA is denied for the IP address or network in question. The fli4l packet filter will be configured in a way that all nets allowed in this variable and those for the zones are joined in an ipset list (yadifa-allow-query).
4. Packages 4.6.1. General Configuration Variables The packages all use the same configuration variables, they differ only by the package name prefixes. As an example: in all packages the user name is required. The variable is named PPPOE_USER, PPTP_USER or FRITZDSL_USER depending on the package. The variables are described indicating the missing prefix by an asterisk. In concrete examples PPPOE is assumed but these are valid with any other prefix too. *_NAME Set a name for the circuit - max.
4. Packages PPPOE_USER='111111111111222222#0001@t-online.de' Infos on user ID’s for other providers are found in the FAQ: • http://extern.fli4l.de/fli4l_faqengine/faq.php?list=category&catnr=3&prog=1 *_HUP_TIMEOUT Specify the time in seconds after which the connection will be terminated when no more traffic is detected over the DSL line. A timeout of ’0’ or ’never’ stands for no timeout. Using ’never’ the router immedeately reconnects after a disconnection.
4. Packages Example (read as one long line): PPPOE_TIMES='Mo-Fr:09-18:0.049:N Mo-Fr:18-09:0.044:Y Sa-Su:00-24:0.039:Y' Important: Times used in *_TIMES have to cover the whole week. If that is not the case a valid configuration can’t be build. If the time ranges off all LC-default-route-circuits (“Y”) togethter don’t contain the complete week there will be no default route in these gaps. There will be no internet access possible at these times! One more simple example: PPPOE_TIMES='Mo-Su:00-24:0.
4. Packages • small mails can be sent but big mails can’t, • ssh works, scp hangs after initial connecting. To work around this problems fli4l manipulates the MTU as a default. In some cases this is not enough so fli4l explicitely permits setting of the MSS (message segment size) to a value given by the provider. If the provider does not give any values 1412 is a good start to try. If a MTU is given by the provider, subtract 40 Byte here (mss mtu 40).
4. Packages PPPOE_ETH Name of the ethernet interface ’eth0’ first ethernet card ’eth1’ second ethernet card ... ... Default setting: PPPOE_ETH='eth1' PPPOE_TYPE PPPOE stands for transmission of PPP-packets over ethernet lines. Data to be transmitted is transformed to ppp-packets in a first step and then in a second step wrapped in pppoe-packets to be transmitted over ethernet to the DSL-modem. The second step can be done by the pppoe-daemon or by the kernel.
4. Packages it is not possible to provide them with the DSL package. It is essential to download these drivers before from http://www.fli4l.de/download/stabile-version/avm-treiber/ and to extract them into the fli4l directory. Circuit-support for Fritz!Card DSL was realised with friendly help from Stefan Uterhardt (email: zer0@onlinehome.de). OPT_FRITZDSL activates support for Fritz!DSL. Default setting: OPT_FRITZDSL='no'. FRITZDSL_TYPE Several Fritz!-cards exist for a DSL connection.
4. Packages IP_NET_N='1' IP_NET_1xxx='...' # Only *one* card with IP-address! # the usual parameters PPTP_ETH is set to ’eth1’ for the second ethernet card and *no* IP_NET_2-xxx-variables are defined. OPT_PPTP activates support for PPTP. Default setting: OPT_PPTP='no'. PPTP_ETH Name of the ethernet interfaces ’eth0’ ’eth1’ ... first ethernet card second ethernet card ... Default setting: PPTP_ETH='eth1' PPTP_MODEM_TYPE There are several PPTP modem types to realise a pptp connection.
4. Packages 4.6.5. OPT_POESTATUS - PPPoE-Status-Monitor On fli4l-Console PPPoE-Status-Monitor for DSL Connections was developed by Thorsten Pohlmann. With setting OPT_POESTATUS='yes' dsl status can be watched on the third fli4l console at any time. Switch to the third console by pressing ALT-F3 and back to the first console with ALT-F1. 4.7. DYNDNS - Dynamic Update For Domain Name Services This package is used to update a dynamic hostname at every dial-in process.
4. Packages Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage DynDNS.org DYNDNS http://dyn.com/ DynDNS.org (custom) DYNDNSC http://dyn.com/standard-dns/ DynDNS DK DYNDNSDK http://dyndns.dk/ dyndns:free DYNDNSFREE http://dyndnsfree.de/ eisfair.net DYNEISFAIR http://www.intersales.de/it-infrastruktur/dyneisfair.
4. Packages Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage OVH.DE OVHDE http://www.ovh.de/ PHPDYN PHPDYN http://www.webnmail.de/phpdyn/ Important: you have to host this type for yourself Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Provider DYNDNS_x_PROVIDER Homepage Regfish.com REGFISH http://www.regfish.
4. Packages can be guided by the table above to find a host name which fulfills the requirements and meets the personal taste. For the configuration you will need the following data: • Name of the provider • Username • Password • DynDNS-hostname The Data my vary with the provider while we try to provide a consistent configuration. Sometimes the hostname equals to the username, in such cases we will try to use the Host-field and ignore the username. OPT_DYNDNS Setting this to 'yes' activates OPT_DYNDNS.
4. Packages DYNDNS_1_CIRCUIT='1 2 3' or DYNDNS_1_CIRCUIT='pppoe' or DYNDNS_1_CIRCUIT='dhcp' # Only ISDN: Circuits 1 to 3 # Only DSL: pppoe-Circuit # Update with DHCP providers # (opt_dhcp needed) or DYNDNS_1_CIRCUIT='pppoe 1' # DSL and ISDN or DYNDNS_1_CIRCUIT='static' # fli4l i.e. behind a LTE Router DYNDNS_x_RENEW Some providers expect an update every n days even without your IP having changed. This interval may be set here. If no value is given an update will be forced every 29 days.
4. Packages DYNDNS_LOOKUP_NAMES The IP should only be updated if it really changed. Many fli4l routers don’t have a permanent data storage like a harddisk where this information could be saved to be present at boot time. To prevent unnecessary updates flil4 may query name servers (only in this case) for its actually registrated IP. The information will be saved and used for further updates. Note that after a reboot a new update interval will start if fli4l uses a name server to detect its IP.
4. Packages • xxx will be executed Monday to Friday from 7AM to 8PM Uhr every full hour. EASYCRON_1_COMMAND = 'xxx' EASYCRON_1_TIME = '0 7-20 0 * 1-5' • The router terminates the DSL internet connection each night at 03:40AM and reestablishes it after 5 seconds. Device names to be used: pppoe, ippp[1-9], ppp[19]. EASYCRON_1_COMMAND = 'fli4lctrl hangup pppoe; sleep 5; fli4lctrl dial pppoe' EASYCRON_1_TIME = '40 3 * * *' Further informations on the cron syntax can be found here (german) • http://www.
4. Packages HD-Installation In Six Simple Steps 1. create a bootable fli4l medium with package BASE and OPT_HDINSTALL. This medium must be able to perform remote updates. Either OPT_SSHD must be activated or START_IMOND is set to 'yes'. If additional drivers not contained in the standard installation are necessary to access the harddisk, configure OPT_HDDRV as well. 2. boot the router with the installation medium. 3. log in to the router console and execute “hdinstall.sh”. 4. transfer the files syslinux.
4. Packages BOOT_TYPE MOUNT_BOOT='rw' OPT_HDINSTALL='yes' (OPT_HDDRV='yes') OPT_SSHD='yes' set according to type of bootmedia for the installation necessary to copy new archives (*.img) to the harddisk over network necessary to have the setup script and tools for formatting of partitions on the bootmedia only necessary if harddisk needs special drivers after preparation of the harddisk eventually files have to be copied via remote update.
4. Packages 4.9.2. OPT_MOUNT - Automatic Mounting Of Filesystems OPT_MOUNT mounts data partitions created during installation to /data, file system checks will be performed automatically when needed. CD-ROMs will be mounted to /cdrom if a CD is inserted. For swap-partitions OPT_MOUNT is not needed! OPT_MOUNT reads the configuration file hd.cfg on the boot-partition and mounts partitions mentioned there.
4. Packages EXTMOUNT_x_OPTIONS Specify special options to be passed to the ’mount’ command here. Example: EXTMOUNT_1_VOLUMEID='sda2' EXTMOUNT_1_FILESYSTEM='ext3' EXTMOUNT_1_MOUNTPOINT='/mnt/data' EXTMOUNT_1_OPTIONS='' # # # # device filesystem mountpoint for device extra mount options passed via mount -o 4.9.4. OPT_HDSLEEP – Setting Automatic Sleep Mode For Harddisks A harddisk can power down after a certain time period without activity. The disk will save power and operate quiet then.
4. Packages HDDRV_x_OPTION With HDDRV_x_OPTION additional options can be passed that some drivers need for proper operation (for example an IO-address). This variable can be empty for the most drivers. In the Appendix (Page 352) you may find an overview of the most common errors concerning harddisk and CompactFlash operation.
4. Packages HTTPD_LISTENIP The web server usually binds to a so-called wildcard address in order to be accessed on any router interface. Set the web server with this parameter to only bind to one IP address. The corresponding IP address is given here: IP_NET_x_IPADDR. Normally this parameter is left blank, so the default (Accessible on any interface IP) is used. This parameter is used to bind the httpd to only one IP so that other instances can bind to other IPs on the router.
4. Packages Range “status” Everything in menu ’Status’. view User can access all menu items. dial User can dial and hang up connections. boot User can reboot and shut down the router. link User can switch channel bundeling. circuit User can switch circuits. dialmode User can switch dialmodes (Auto, Manual, Off). conntrack User can view currently active connections. dyndns User can view logfiles of package DYNDNS (Page 112).
4. Packages OAC_INPUT (optional) Provides protection against circumvention via proxy. OAC_INPUT=’default’ blocks default ports for Privoxy, Squid, Tor, SS5, Transproxy. OAC_INPUT=’tcp:8080 tcp:3128’ blocks TCP Port 8080 and 3128. This is a space separated list of ports to be blocked and their respective protocol (udp, tcp). Omitting protocols blocks both udp and tcp. Omitting this variable or setting it to 'no' deactivates the function.
4. Packages 4.11. HWSUPP - Hardware support 4.11.1. Description This package supplies the support for special hardware components.
4. Packages 4.11.2. Configuration of the HWSUPP package The configuration is made, as for all fli4l packages, by adjusting the file path/fli4l-3.10.1/ config¡/hwsupp.txt to meet your own demands. OPT_HWSUPP The setting ’no’ deactivates the OPT_HWSUPP package completely. There will be no changes made to the fli4l boot medium or the archive opt.img. OPT_HWSUPP does not overwrite any other parts of the fli4l installation. To activate OPT_HWSUPP set the variable OPT_HWSUPP to ’yes’.
4. Packages • conservative The CPU frequency will be adjusted depending on the current CPU usage. The frequency is changed step by step. • powersave The CPU allways runs with the lowest available frequency. • userspace The CPU frequence kann be set manually or by an user script via the sysfs variable /devices/system/cpu/cpu/cpufreq/scaling_setspeed. HWSUPP_LED_N Defines the number of LEDs. The number of LEDs of the hardware in use should be entered here.
4. Packages HWSUPP_LED_x_PARAM Defines parameters for the selected LED information. Depending on the selection in in HWSUPP_LED_x, in HWSUPP_LED_x_PARAM different settings are possible. If HWSUPP_LED_x=’trigger’ is set, the trigger name has to be specified in HWSUPP_LED_x_PARAM. Available triggers can be displayed with the shell command cat /sys/class/leds/*/trigger. Besides triggers created by e.g. netfilter or hardware drivers like ath9k, further trigger modules can be loaded via HWSUPP_DRIVER_x.
4. Packages HWSUPP_BUTTON_x Defines the action which should be executed on button press. The following actions are supported: • reset - restart the fli4l router • online - causes an internet dialin or terminates an internet connection. • user - an user script will be executed Th e list of possible actions can be extended by other packages. If the WLAN package is loaded, eg. the action • wlan - activate or deactivate WLAN is possible. HWSUPP_BUTTON_x_DEVICE Specifies the button device an.
4. Packages 4.11.3. Expert settings The following settings should only be touched if you know exactly • which hardware you have, • which additional drivers it needs and • the addresses and types of I2 C8 devices. Activating the expert settings will issue a warning during the mkfli4l build. HWSUPP_DRIVER_N Number of additional drivers. The drivers in HWSUPP_DRIVER_x will be loaded in the denoted order. HWSUPP_DRIVER_x Driver name (without file extension .ko).
4. Packages VPN_CARD_TYPE This configuration variable defines the type of the VPN accelerator. The following values are supported: • hifn7751 - Soekris vpn1401 and vpn1411 • hifnhipp 4.12. IPv6 - Internet Protocol Version 6 4.12.1. Introduction This package enables fli4l to support IPv6 in many ways. This includes informations about the IPv6 address of the router’s IPv6 (sub) networks managed by it, predefined IPv6 routes and firewall rules regarding IPv6 packets.
4. Packages Such a reduction is only allowed once to avoid ambiguities. The address 2001:0:0:1:2:0:0:3 can thus either be shortened to 2001::1:2:0:0:3 or 2001:0:0:1:2::3 but not to 2001::1:2::3 because then it would be unclear how the four zeros belong to the contracted regions.
4. Packages Important: If the subnet is connected to a tunnel (see IPV6_NET_x_TUNNEL below) then only the part of the router address is specified here that is not assigned to the tunnel’s subnet prefix (to be found in IPV6_TUNNEL_x_PREFIX) because that prefix and the address are combined! In previous versions of the IPv6 package the variable IPV6_TUNNEL_x_PREFIX did not exist and subnet prefix and router address were combined together in IPV6_NET_x.
4. Packages addresses which will not work if the host part is not 64 bits. If the self-configuration fails the subnet prefix should be checked for incorrect length (for example as /48). Default setting: IPV6_NET_1_ADVERTISE='yes' IPV6_NET_x_ADVERTISE_DNS This variable determines whether the local DNS service in IPv6 subnets should be advertised by “Router Advertisements”. This will only works if the IPv6 functionality of the DNS service is activated using DNS_SUPPORT_IPV6=’yes’.
4. Packages IPV6_TUNNEL_x_TYPE This variable determines the type of the tunnel. Currently, the values “raw”, “static”, “sixxs” for dynamic heartbeat-tunnels by the provider SixXS and “he” for tunnels of provider Hurricane Electric are supported. More about heartbeattunnels in the next paragraph. Example: IPV6_TUNNEL_1_TYPE='sixxs' IPV6_TUNNEL_x_DEFAULT This variable determines whether IPv6 packets which are not addressed to local networks are allowed to be routed through this tunnel.
4. Packages IPV6_TUNNEL_x_REMOTEV4 This variable contains the remote IPv4-address of the tunnel. Usually this value is given to you by the tunnel provider. Example (as used by PoP deham01 by Easynet): IPV6_TUNNEL_1_REMOTEV4='212.224.0.188' Important: If PF_INPUT_ACCEPT_DEF is set to “no” (the IPv4-firewall is configured manually) you will need a firewall rule to accept all IPv6-in-IPv4 packets (IP-Protokoll 41) from the tunnel endpoint.
4. Packages IPV6_TUNNEL_x_PASSWORD This variable contains the password for the username above. It can’t contain spaces. Example: IPV6_TUNNEL_1_PASSWORD='passwort' IPV6_TUNNEL_x_TUNNELID This variable contains the identificator for the tunnel. The name of a SixXS tunnel always starts with a capital ‘T’. Example: IPV6_TUNNEL_1_TUNNELID='T1234' IPV6_TUNNEL_x_TIMEOUT (optional) This variable contains the maximum waiting time in seconds for the tunnel to establish.
4. Packages PF6_INPUT_POLICY This variable sets the default strategy for all incoming packets for the router (INPUT-Chain). Possible values are “REJECT” (default: rejects all packets), “DROP” (discards all packets without further notice) and “ACCEPT” (accepts all packets). For a detailed description see the documentation of PF_INPUT_POLICY. Default setting: PF6_INPUT_POLICY='REJECT' PF6_INPUT_ACCEPT_DEF This variable activates the predefined rules for the INPUTchain of the IPv6-Firewall.
4. Packages PF6_INPUT_N This variable contains the number of IPv6-firewall rules for incoming packets (INPUT-Chain). Per default two rules are activated: the first allows all local hosts to access the router on so-called link-level addresses, the second allows hosts from the first defined IPv6-subnet to access the router. In case of multiple local IPv6-subnets defined the second rule has to be cloned respectively. See the configuration file for details.
4. Packages PF6_FORWARD_LOG_LIMIT This variable configures the log limit for the FORWARDchain of the IPv6-firewall to keep it readable. For a detailed description see the documentation of PF_FORWARD_LOG_LIMIT. Default setting: PF6_FORWARD_LOG_LIMIT='3/minute:5' PF6_FORWARD_REJ_LIMIT This variable sets the limit for the rejection of forwarding TCP-packets. If a packet exceeds this limit it will be dropped without further notice (DROP). For a detailed description see the documentation of PF_FORWARD_REJ_LIMIT.
4. Packages all packages). For a more detailed description see the documentation of the Variable PF_OUTPUT_POLICY. Default setting: PF6_OUTPUT_POLICY='REJECT' PF6_OUTPUT_ACCEPT_DEF This variable enables the default rules for the OUTPUT chain of the IPv6 firewall. Possible values are “yes” or “no”. Currently, there are no preset rules. Default setting: PF6_OUTPUT_ACCEPT_DEF='yes' PF6_OUTPUT_LOG This variable enables logging of all rejected outgoing packets. Possible values are “yes” or “no”.
4. Packages • All IPv6 address strings (including IP_NET_x etc.) must be enclosed in square brackets if followed by a port or a port range. Examples: PF6_OUTPUT_1='tmpl:ftp IPV6_NET_1 ACCEPT HELPER:ftp' PF6_OUTPUT_x_COMMENT This variable contains a description or comment to the associated OUTPUT rule. Example: PF6_OUTPUT_3_COMMENT='no␣samba␣traffic␣allowed' PF6_USR_CHAIN_N This variable holds the number of IPv6-firewall tables defined by the user.
4. Packages PF6_PREROUTING_N This variable contains the number of IPv6 firewall rules for forwarding to a different destination (PREROUTING chain). For a more detailed description see the documentation of variable PF_PREROUTING_N. Example: PF6_PREROUTING_N='2' PF6_PREROUTING_x PF6_PREROUTING_x_COMMENT A list of rules to set the IPv6 packets that should be forwarded by the router to another destination. For a more detailed description see the documentation of variable PF_PREROUTING_x. 4.12.4.
4. Packages parameter lc-default-route (y/n). fli4l (res. imond) will trigger a connection to the internet provider and assure that all packets leaving the local net are routed over the circuit that is active at this time. The standard use cases in summary: • If simply a connection to the internet is intended DIALMODE is set to auto, 1-n circuits are to be defined which have an initial route of ’0.0.0.0/0’ and whose times (times with lc-default-route = y) cover the whole week.
4. Packages Typ 6 13 Karte ELSA PCC/PCF cards 7 8 9 10 11 11 12 13 14 15 15 15 16 17 18 19 ELSA Quickstep 1000 Teles 16.3 PCMCIA ITK ix1-micro Rev.2 ELSA PCMCIA Eicon.Diehl Diva ISA PnP Eicon.Diehl Diva PCI ASUS COM ISDNLink HFC-2BS0 based cards Teles 16.
4. Packages Typ Karte Needed parameters Type-numbers for Capi-drivers: 100 Generic CAPI device without ISDN no parameter functionality, i.e.
4. Packages “cat /proc/pci” as “tiger” or similar. To use ISDN types 104 to 114 the matching drivers have to be downloaded from http: //www.fli4l.de/download/stabile-version/avm-treiber/. Unpack them to the fli4l directory. They cannot be included because these drivers are not gpl’d. For ISDN types 81, 82, 109 to 113 and 303 it is necessary to activate USB support. See USB - Support for USB-devices (Page 231). To use ISDN types 10, 22, 26, 39, 103 or 114 it is necessary to activate PCMCIA PC-Card support.
4. Packages Important: If calls should be logged with telmond don’t set this value lower than 2 otherwise telmond would lack informations for logging. Default setting: ISDN_VERBOSE_LEVEL=’2’ ISDN_FILTER Activates filtering mechanism of the kernel to achieve hangup after the specified hangup timeout. See http://www.fli4l.de/hilfe/howtos/basteleien/ hangup-problem-loesen/ for additional informations. ISDN_FILTER_EXPR Specifies the filter to use if ISDN_FILTER is set to ‘yes’. 4.13.3.
4. Packages If fli4l is simply used as an internet gateway only one circuit is needed. Exception: fli4l’s least-cost features should be used. In this case define different circuits for all allowed timespans, see below. ISDN_CIRC_N Sets the number of used ISDN circuits. If fli4l is used only to monitor incoming ISDN calls set: ISDN_CIRC_N='0' If fli4l is simply used as an internet gateway one circuit is enough. Exception: LC-routing, see below.
4. Packages ISDN_CIRC_x_TYPE ISDN_CIRC_x_TYPE specifies the type of connection x. Possible values are: ’raw’ RAW-IP ’ppp’ Sync-PPP In most cases PPP is used, Raw-IP is a little more efficient because of the missing PPP overhead. Authentification is not possible with Raw-IP but with variable ISDN_CIRC_x_DIALIN (see below) limitiations to explicit ISDN numbers (“Clip”) can be accomplished. If ISDN_CIRC_x_TYPE is set to’raw’ /etc/ppp a raw up/down script will be executed in analog to the PPP up/down scripts.
4. Packages • ISDN_CIRC_1_BANDWIDTH=’10000 30’ This is intended to add a second channel after 30 seconds if 10000 B/s were reached during that timespan. This won’t work because ISDN has a maximum tranfer rate of 8 kB/s. ISDN_CIRC_x_BUNDLING=’no’ ISDN_CIRC_x_BANDWIDTH is irrelevant. If is set the value in variable Default setting: ISDN_CIRC_x_BANDWIDTH=” ISDN_CIRC_x_LOCAL This variable holds the local IP address on the ISDN side. This value should be empty if using dynamical address assignment.
4. Packages ISDN_CIRC_x_FRAMECOMP (EXPERIMENTAL) This parameter is only used if OPT_ISDN_COMP is set to ’yes’. It handles frame compression.
4. Packages ISDN_CIRC_%_ROUTE_N='2' ISDN_CIRC_%_ROUTE_1='192.168.8.0/24' ISDN_CIRC_%_ROUTE_2='192.168.9.0/24' All nets must have an explicit entry hence for each route a new ISDN_CIRC_x_ROUTE_y=” line has to be provided. For using fli4l’s LC routing features a default route can be assigned to *several* circuits. Which circuit is used is driven by ISDN_CIRC_x_TIMES, see below. ISDN_CIRC_x_DIALOUT ISDN_CIRC_x_DIALOUT specifies the telephone number to be dialed.
4. Packages • ISDN_CIRC_x_CALLBACK=’out’: In this case ISDN_CIRC_x_CBDELAY is the ringing timespan for the other party until fli4l waits for callback. ISDN_CIRC_x_CBDELAY=’3’ is a good rule of thumb here either. On long distance calls it takes up to 3 seconds untils the other router is even recognizing the call. If in doubt simply try. If setting ISDN_CIRC_x_CALLBACK=’off’, ISDN_CIRC_x_CBDELAY is ignored. This variable is ignored with CallBack Control Protocol as well.
4. Packages ISDN_CIRC_x_CHARGEINT Set charge interval in seconds which will be used for calculating online costs. Most providers charge by minute intervals. In this case use the value ’60’. For providers that charge in seconds set ISDN_CIRC_x_CHARGEINT to ’1’. Addition for ISDN_CIRC_x_CHARGEINT ¡= 60 seconds: If no traffic was detected for ISDN_CIRC_x_HUP_TIMEOUT seconds the connection will be terminated approx. 2 seconds before reaching the chargint timespan.
4. Packages Important: timespans specified in ISDN_CIRC_x_TIMES have to cover the whole week. Without that no valid configuration can be generated. If timespans of all LC-default-route circuits (“Y”) don’t cover the complete week no default route exists during the missing times. Therefore no internet connections are possible! Example: ISDN_CIRC_1_TIMES='Sa-Su:00-24:0.044:Y Mo-Fr:09-18:0.049:N Mo-Fr:18-09:0.044:N' ISDN_CIRC_2_TIMES='Sa-Su:00-24:0.044:N Mo-Fr:09-18:0.019:Y Mo-Fr:18-09:0.
4. Packages TELMOND_MSN_N If certain calls should only be visible on some client PC’s imonc a filter can be set to achieve that MSNs are only protocolled for those PCs. If this is necessary (for example with flat sharing) the variable TELMOND_MSN_N holds the number of MSN filters. Default setting: TELMOND_MSN_N=’0’ TELMOND_MSN_x For each MSN filter a list of IP addresses has to be set which should be able to view the call informations.
4. Packages In the first case the command sequence “sleep 5; imonc dial” is executed if caller with id 0987654321 calls MSN 1234567. Two commands are executed. At first fli4l will wait for 5 seconds for the ISDN channel to become available. After that the fli4l client imonc is started with the argument “dial”. imonc passes this command to the telmond server which will establish a network connection on the default route circuit.
4. Packages the routers via network as if it was installed locally. This is similar to the package “mtgcapri”. The difference is that only Windows systems can use “mtgcapri” as a client while the network interface of rcapid is only supporting linux systems at the time of writing. So both packages are ideal complements in mixed Windows- and Linux environments. Konfiguration des Routers OPT_RCAPID This variable activates offering of the router’s ISDN-CAPI for remote clients.
4. Packages 4.14. OpenVPN - VPN Support As of version 2.1.5 package OpenVPN is part of fli4l. Important: For using OpenVPN over the Internet a flatrate or billing based on data volume is a must have! If the fli4l router is powered on the connection will never be hung up because a small amount of data is permanently transferred by OpenVPN. Using a VPN Tunnel over the Internet thus can cause high online costs. The same is applying for an ISDN connection being used for OpenVPN.
4. Packages to be different. Thus it is not possible to connect two nets over a tunnel that both use IP range 192.168.6.0/24. transport net The transport network consists of two elements: • the connection between two OpenVPN daemons, described by remote_host:remote_port and (local_host:)local_port. This is an equivalent to the OpenVPN settings in OPENVPN_x_REMOTE_HOST, OPENVPN_x_REMOTE_PORT, OPENVPN_x_LOCAL_HOST and OPENVPN_x_LOCAL_PORT.
4. Packages OPENVPN_x_REMOTE_HOST_N Default: OPENVPN_x_REMOTE_HOST_N=’0’ Using dynamic DNS services is not alsways 100% reliable. You may simply use two ore more of those DynDNS services to register your current IP address with all of them at the same time. To enable OpenVPN to go through the whole DynDNS names a list of additional DNS names has to be set. By the help of OPENVPN_x_REMOTE_HOST OpenVPN will try to contact these addresses in random order.
4. Packages OpenVPN needs a keyfile for encrypting an OpenVPN connection. This keyfile can be generated unter Windows or Linux by OpenVPN itself. Beginners may install OpenVPN’s Windows software or use OpenVPN’s WebGUI. If you do not want to use OpenVPN under Windows but only generate the needed keyfiles it is enough to install OpenVPN User-Space Components, OpenSSL DDLs, OpenSSL Utilities, Add OpenVPN to PATH and Add Shortcuts to OpenVPN.
4. Packages Figure 4.2.: fli4l config directory with OpenVPN *.secret files OPENVPN_x_BRIDGE Default: OPENVPN_x_BRIDGE=” Holds the name of the bridge this OpenVPN connection should bind to. If BRIDGE_DEV_x_NAME=’cuj-br’ is given and the OpenVPN connection should bind to that bridge ’cuj-br’ has to be set in accordance. OPENVPN_x_BRIDGE_COST Default: OPENVPN_x_BRIDGE_COST=” If using spanning tree protocol (STP, see http://de.wikipedia.
4. Packages • IP address may not be used for any local network device. • IP address may not belong to any network routed by IP_ROUTE_x. • IP address may not belong to any network routed by ISDN_CIRC_ROUTE_x. • IP address may not belong to any network routed by CIPE_ROUTE_x. • IP address may not belong to any network routed by OPENVPN_ROUTE_x. • IP address may not belong to any network used or routed by fli4l in any other way. As you see VPN IP addresses can’t be used anywhere else.
4. Packages OPENVPN_x_ROUTE_N Default: OPENVPN_x_ROUTE_N=” This setting is only valid if OPENVPN_x_TYPE (Page 165) is set to ’tunnel’ for this OpenVPN connection. Routes are being set automatically by OpenVPN when starting up. Up to 50 nets can be routed over a single OpenVPN connection. For every net to be routed a valid OPENVPN_x_ROUTE_x entry must be created. Please note that the packet filter rules necessary have to be set manually in OPENVPN_PF_FORWARD_x OPENVPN_PF_INPUT_x res.
4. Packages an additional DNS server) it will be assumed that a DNS server is listening on the IP of the other end of the tunnel (see OPENVPN_x_REMOTE_VPN_IP (Page 166)). On the remote router incoming DNS queries have to allowed in this case. (i.e. via OPENVPN_x_INPUT_y=’tmpl:dns ACCEPT’) OPENVPN_x_ROUTE_x_DOMAIN Default: OPENVPN_x_ROUTE_x_DOMAIN=” Different subnets can have different domains assigned. Per OPENVPN_x_ROUTE_y one according domain can be configured.
4. Packages This setting will cause OpenVPN to automatically generate keyfiles on boot of the fli4l router. An OpenVPN connection won’t be started then. For details see OPENVPN_x_SECRET (Page 164). OPENVPN_DEFAULT_DIGEST Default: OPENVPN_DEFAULT_DIGEST=’SHA1’ Enter available checksums her. OpenVPN uses ’SHA1’ as default. OPENVPN_DEFAULT_FLOAT Default: OPENVPN_DEFAULT_FLOAT=’yes’ OpenVPN remote stations that use DynDNS addresses can change their IP address at any time.
4. Packages OPENVPN_DEFAULT_PF_FORWARD_POLICY Default: OPENVPN_DEFAULT_PF_FORWARD_POLICY=’REJECT’ This setting equals ’PF_FORWARD_POLICY=’ (Page 54) in base.txt. By specifiying ’BASE’ the setting from ’PF_FORWARD_POLICY=’ in base.txt will be used. OPENVPN_DEFAULT_PING Default: OPENVPN_DEFAULT_PING=’60’ To keep an established tunnel open and to recognize if the OpenVPN remote station can still be reached an encrypted ping will be sent over the line in the interval in seconds specified here.
4. Packages This start an OpenVPN tunnel running in background. Instead of name.conf use the name of your configuration file in directory /etc/openvpn. OPENVPN_DEFAULT_VERBOSE Default: OPENVPN_DEFAULT_VERBOSE=’2’ This variable sets the verbosity of OpenVPN. If a VPN connection is running flawlessly you can set this to ’0’ to avoid all messages. For testing purposes a value of ’3’ is adviced. Higher values may be useful for debugging. Maximum value is ’11’.
4. Packages OPENVPN_DEFAULT_SHAPER Default: OPENVPN_DEFAULT_SHAPER=” Restricts outgoing bandwidth of the tunnel to the specified value of bytes per second. Possible range is from 100 up to 100000000 bytes. For values up to 1000 bytes per second reduce MTU of the connection otherwise ping times will increase significantly. If you want to restrict a tunnel to a certain bandwidth in both directions you have to configure this option on both OpenVPN end points separately.
4. Packages OPENVPN_x_COMPRESS Default see: OPENVPN_DEFAULT_COMPRESS See OPENVPN_DEFAULT_COMPRESS (Page 169). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_CREATE_SECRET Default see: OPENVPN_DEFAULT_CREATE_SECRET=’no’ See OPENVPN_x_SECRET (Page 164). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_DIGEST Default see: OPENVPN_DEFAULT_DIGEST See OPENVPN_DEFAULT_DIGEST (Page 170).
4. Packages OPENVPN_x_VERBOSE Default see: OPENVPN_DEFAULT_VERBOSE See OPENVPN_DEFAULT_VERBOSE (Page 172). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_MANAGEMENT_LOG_CACHE Default see: OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE See OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE (Page 172). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned.
4. Packages OPENVPN_x_PF_FORWARD_LOG Default see: OPENVPN_DEFAULT_PF_FORWARD_LOG See OPENVPN_DEFAULT_PF_FORWARD_LOG (Page 170). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_PF_FORWARD_POLICY Default see: OPENVPN_DEFAULT_PF_FORWARD_POLICY See OPENVPN_DEFAULT_PF_FORWARD_POLICY (Page 170). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned.
4. Packages OPENVPN_x_MSSFIX Default see: OPENVPN_DEFAULT_MSSFIX See OPENVPN_DEFAULT_MSSFIX (Page 172). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_FRAGMENT Default see: OPENVPN_DEFAULT_FRAGMENT See OPENVPN_DEFAULT_FRAGMENT (Page 172). In contradiction to the default setting this setting only affects the OpenVPN connection mentioned. OPENVPN_x_TUN_MTU Default see: OPENVPN_DEFAULT_TUN_MTU See OPENVPN_DEFAULT_TUN_MTU (Page 172).
4. Packages Figure 4.3.: Connection Overview Symbol Description restart OpenVPN process and try to connect. stop OpenVPN process. reset connection. reset connection and put it in ’hold’. No data can be transferrred. free connection again. Data can be transferrred. Table 4.9.: Actions of the OpenVPN-Webgui OpenVPN - WebGUI - Detail View Of A Connection Statistics: Some interesting statistics are shown here if the connection is started and not on ’hold’.
4. Packages Figure 4.4.: Detail view of a connection (Keymanagement) Log: last 20 lines of the connection logfile. If more lines should be displayed enter the number and click ’show’. If ’all’ is selected the whole logfile will be shown. This tab is only shown for started connections. Debug-Log: Shows the output of the start process. OpenVPN connections are started and the output is shown. This is handy if the connection can’t be started by the start button and no normal log can be shown.
4. Packages Support informations: Shows all informations relevant when problems occur. copy&paste these informations i.e. for a post on the newsgroups. You may 4.14.7. OpenVPN - Collaboration Of Different OpenVPN Versions Please note that different versions of OpenVPN may use different default parameters for a connection. In particular MTU fragment and MSSFIX settings may differ. If values „don’t match“ connection establishment is not possible or no reliable connection can be made.
4. Packages OPENVPN_DEFAULT_TUN_MTU='1500' OPENVPN_DEFAULT_MSSFIX='1300' OPENVPN_DEFAULT_FRAGMENT='1300' For fli4l versions prior to 2.1.9 „tun-mtu“ parameters can’t be specified directly. But they can be influenced indirectly with OPENVPN_x_LINK_MTU. tun-mtu values are about 45 byte smaller than the values in OPENVPN_x_LINK_MTU. To get exact values only trying will help. 4.14.8. OpenVPN - Examples Some examples will clarify the configuration of package OpenVPN.
4. Packages OpenVPN Option Peter Maria OPENVPN_2_NAME OPENVPN_2_REMOTE_HOST OPENVPN_2_REMOTE_PORT OPENVPN_2_LOCAL_HOST OPENVPN_2_LOCAL_PORT OPENVPN_2_FLOAT OPENVPN_2_RESTART OPENVPN_2_SECRET OPENVPN_2_TYPE OPENVPN_2_BRIDGE ’bridge’ ’10.1.0.1’ ’10005’ ’10.2.0.1’ ’10006’ ’no’ ’never’ ’bridge.secret’ ’bridge’ ’pema-br’ ’bridge’ ’10.2.0.1’ ’10006’ ’10.1.0.1’ ’10005’ ’no’ ’never’ ’bridge.secret’ ’bridge’ ’pema-br’ Table 4.13.
4. Packages is edited. Unfortunately the tun/tap driver for Windows is not as flexible as its Unix pendant. Point-to-Point addresses for VPN IP have to be in a 255.255.255.252 (or /30) net. If the road warrior should only access services in the LAN behind or on the fli4l router itself and does not have to be accessed by itself a route on fli4l’s side is not necessary. The road warrior can be addressed on its virtual IP address (OPENVPN_3_REMOTE_VPN_IP) if necessary.
4. Packages cable nets. DNSMASQ DHCP server’s settings have to be changed to achieve that. Package advanced_networking will be needed as well. Settings in base.txt: IP_NET_1 is the cable LAN and IP_NET_2 is the WLAN. IP_NET_N='2' IP_NET_1='192.168.3.254/24' IP_NET_1_DEV='br0' IP_NET_2='192.168.4.254/24' IP_NET_2_DEV='eth2' Set DHCP range to suit your needs.
4. Packages http://wiki.freifunk.net/OpenVPN http://w3.linux-magazine.com/issue/24/Charly.pdf http://w3.linux-magazine.com/issue/25/WirelessLAN_Intro.pdf http://w3.linux-magazine.com/issue/25/OpenVPN.pdf 4.15. PCMCIA - PC-Card Support 4.15.1. PCMCIA Drivers fli4l can work with PCMCIA cards as well. Specify OPT_PCMCIA=’yes’ to install according base drivers. The card driver to be used concretely is set by NET_DRV_x (Page 32).
4. Packages PPP_NETWORK PPP_NETMASK PPP_NETWORK holds the network used and variable PPP_NETMASK the netmask. These two variables are used by the extra package ’samba_lpd’. Important: Consider the following: 1. Those IP addresses may not originate from the network address range of the ethernet LANs. Point-To-Point-Configuration must use a separate network address range! 2. For the Client PC’s connection to the Internet this mini-PPP-network has to be masked in the same way as the LAN.
4. Packages #! /bin/sh dev='/dev/ttyS0' # COM1, for COM2: ttyS1 speed='38400' # speed options='defaultroute crtscts' # options myip='192.168.4.2' # IP address client fli4lip='192.168.4.1' # IP address fli4l router pppd $dev $speed $options $myip:$fli4lip & In case of problems: man pppd The fli4l router has to be used as the DNS server on the client if a connection to the Internet is desired. Add two lines to /etc/resolv.
4. Packages PRIVOXY_x_LISTEN Specify IP addresses or symbolic names including portnumber of the interface here on which Privoxy should listen to clients. It is a good idea to specify only trusted interfaces because all clients have full access to privoxy (and its activated configuration editor). Normally setting IP_NET_1_IPADDR:8118 makes most sense. Privoxy will listen to the addresses set here offering its services. The default port is 8118.
4. Packages PRIVOXY_x_CONFIG This option enables interactive configuration editing for proxy users using Privoxy’s web interface. For further details please consult the Privoxy documentation. PRIVOXY_x_LOGDIR This option specifies a log directory for Privoxy. This may be useful for i.e. logging user accesses to websites. If nothing is set here only important messages will be logged to console and PRIVOXY_LOGLEVEL is ignored.
4. Packages TOR_LISTEN_x Specify IP addresses or symbolic names including portnumber of the interface here on which Tor should listen to clients. It is a good idea to specify only trusted interfaces because all clients have full access to Tor (and its activated configuration editor). Normally setting IP_NET_1_IPADDR:9050 makes most sense. Tor will listen to the addresses set here offering its services. The default port is 9050. This setting has to be used in the configuration of your programs.
4. Packages 4.17.3. OPT_SS5 - Ein Socks4/5 Proxy For some programs a Socks proxy may be needed. SS5 provides this functionality. http://ss5.sourceforge.net/ SS5_LISTEN_N SS5_LISTEN_x Specify IP addresses or symbolic names including portnumber of the interface here on which SS5 should listen to clients. It is a good idea to specify only trusted interfaces because all clients have full access to SS5 (and its activated configuration editor). Normally setting IP_NET_1_IPADDR:8050 makes most sense.
4. Packages TRANSPROXY_ALLOW_N TRANSPROXY_ALLOW_x List of nets and/or IP addresses for which the packet filter has to be opened. It should cover the nets that should be redirected by the packet filter. If you don’t set any ranges here they have to be entered manually in the configuration of the packet filter. 4.17.5.
4. Packages Software: • Package: advanced_networking • Package: dhcp_client (for the use of ID8) The following describes adapting the config files base.txt, dsl.txt, advanced_networking.txt, dhcp_client.txt, dns_dhcp.txt. Hardware Setup The recommendation to connect the IPTV SetTopBox without further network elements directly to the router also applies to fli4l.
4. Packages VDSL modem fli4l router IPTV-STB interface LAN interface Figure 4.6.: fli4l in an IPTV configuration A note for those using only ’normal DSL’, ie ADSL, ADSL2, ADSL2+: VLAN is only needed by VDSL, but not for ’normal DSL’ - the VLAN configuration will not work in this case. If two VLAN tags are used (see above) traffic is split as follows: • VLAN ID7: Internet traffic • VLAN ID8: IPTV Multicast traffic This way Internet traffic is independent from IPTV traffic.
4. Packages OPT_DHCP_CLIENT='yes' DHCP_CLIENT_TYPE='dhcpcd' DHCP_CLIENT_INTERFACES='IP_NET_3_DEV' # listen on interface eth1.8 DHCP_CLIENT_USEPEERDNS='no' DHCP_CLIENT_HOSTNAME='' As of fli4l V3.3 the interface can only defined by the value of IP_NET_x_DEV defined for the interface in base.txt, here: IP_NET_3_DEV. Specifying eth1.8 is not possible anymore. Optional: If the NIC in use has problems with the MTU size it can be adapted with the parameter DEV_MTU.
4. Packages It is important to change the MAC addresses for eth1.7 and eth1.8 to be different from eth1’s one, otherwise - depending on the VDSL net disturbances can occur after forced disconnection. For the new NIC Internet access must be possible, just as for the first NIC. These additional settings are necessary: PF_INPUT_1='IP_NET_1 ACCEPT' PF_INPUT_2='IP_NET_2 ACCEPT' PF_INPUT_3='any 224.0.0.0/4 ACCEPT' [...] PF_FORWARD_3='any 224.0.0.
4. Packages IGMPPROXY_DEBUG By specifying ’yes’ here messages of the IGMP proxy are sent to syslog. IGMPPROXY_DEBUG2 By specifying ’yes’ here the log level of the IGMP proxy may be increased. IGMPPROXY_QUICKLEAVE_ON With Quickleave the load in the upstream link can be lowered. If the parameter is enabled by ’yes’, this will cause that the Multicast is canceled faster after a channel change and so the downstream load is lowered by the IGMP proxy behaving like a receiver.
4. Packages IGMPPROXY_WLIST_N With this parameter the number of whitelists for IGMP reports is determined. IGMPPROXY_WHLIST_NET_x : Using IGMPv3 all addresses may be summarized in one report which in turn will be ignored completely. This leads to a complete shutdown of all Multicast traffic by the IGMP Querier assuming that it is not needed anymore. To avoid this, configuration of whitelists is used. Only Multicast goups in this list will be requested on the WAN side.
4. Packages Hint: Despite to earlier versions of the documentation the rules were restricted to the nets really needed. If IPTV does not work as exepected feel free to provide additional information concerning the nets used. Important! By the end of May 2013 the Telekom introduced new classless routes for Entertain (http://www.onlinekosten.de/forum/showthread.php?t=116415&page= 38). This seems to be caused by the use of more than 256 stations resp. addresses.
4. Packages STUNNEL_x_NAME The name of each tunnel. Must be unique for all configured tunnels. Example: STUNNEL_1_NAME='imond' STUNNEL_x_CLIENT This variable configures which parts of the communication are encrypted via SSL/TLS. There are two options: • Client mode: The tunnel expects unencrypted data from outside and sends it encrypted to the other end of the tunnel. This corresponds to the setting STUNNEL_x_CLIENT='yes'.
4. Packages an IPv6 address using STUNNEL_1_ACCEPT='IPV6_NET_2_IPADDR:443' or vice versa by using (STUNNEL_1_ACCEPT_IPV4='no' and IP_NET_x_IPADDR). Furthermore, the meaning of “any” depends on the Layer 3 protocols activated (IPv4 or IPv6): of course, the tunnel only listens on addresses belonging to the Layer-3-Protocols activated via STUNNEL_x_ACCEPT_IPV4 and STUNNEL_x_ACCEPT_IPV6. STUNNEL_x_ACCEPT_IPV4 This variable controls if the IPv4 protocol is used for incoming connections to the tunnel.
4. Packages can only be reached through a dynamic DNS name and the address behind the name changes frequently, or if an active dialin when starting “stunnel” should be prevented. Default setting: STUNNEL_x_DELAY_DNS='no' Example: STUNNEL_1_DELAY_DNS='yes' STUNNEL_x_CERT_FILE This variable contains the file name of the certificate for the tunnel to be used.
4. Packages certificate. This setting ensures that really only a fixed and known peer may connect (server tunnel) or a connection to only a known peer (client tunnel) is established. This is useful for peer-to-peer connections between hosts both under your control, but for which no own CA is used. • both: The certificate of the remote station is compared with the certificate configured by the help of the variable STUNNEL_x_CERT_CA_FILE and it is also ensured that it matches a CA certificate.
4. Packages STUNNEL_1_CERT_VERIFY='both' STUNNEL_2_NAME='remote-imond2' STUNNEL_2_CLIENT='yes' STUNNEL_2_ACCEPT='any:50001' STUNNEL_2_ACCEPT_IPV4='yes' STUNNEL_2_ACCEPT_IPV6='yes' STUNNEL_2_CONNECT='@remote2:50000' STUNNEL_2_CERT_FILE='client.pem' STUNNEL_2_CERT_CA_FILE='ca+server2.
4. Packages A modem manages a packet queue where packets are stored that exceed the available bandwidth. With DSL modems for example these queues are rather big. The advantage is a constant usage of maximum bandwidth. If the router sends lesser packets for a short period of time the modem has packets in the queue that it can send. Such a queue is a simple thing sending packets first in first out - rather fair, isn’t it? This is where QoS comes into play.
4. Packages QOS_INTERNET_DEFAULT_DOWN='0' Example: Two classes have been created and a filter puts all packets for a certain IP address into the first one. All other packets should go to the second one. This must be set like this: QOS_INTERNET_DEFAULT_DOWN='2' Pay attention to set a class for QOS_INTERNET_DEFAULT_DOWN where its QOS_CLASS_x_DIRECTION variable contains the argument ’down’. QOS_INTERNET_DEFAULT_UP Set the default class for packets going out to the Internet here.
4. Packages Three subclasses of our parent class above where QOS_CLASS_x_MINBANDWIDTH- and QOS_CLASS_x_MAXBANDWIDTH settings look like this: QOS_CLASS_2_PARENT='1' QOS_CLASS_2_MINBANDWIDTH='60Kibit/s' QOS_CLASS_2_MAXBANDWIDTH='128Kibit/s' QOS_CLASS_3_PARENT='1' QOS_CLASS_3_MINBANDWIDTH='40Kibit/s' QOS_CLASS_3_MAXBANDWIDTH='128Kibit/s' QOS_CLASS_4_PARENT='1' QOS_CLASS_4_MINBANDWIDTH='28Kibit/s' QOS_CLASS_4_MAXBANDWIDTH='128Kibit/s' All subclasses have the same (or no) priority (see QOS_CLASS_x_PRIO).
4. Packages QOS_CLASS_2_PRIO='1' QOS_CLASS_3_MINBANDWIDTH='40Kibit/s' QOS_CLASS_3_PARENT='1' QOS_CLASS_3_MAXBANDWIDTH='128Kibit/s' QOS_CLASS_3_PRIO='1' QOS_CLASS_4_PARENT='1' QOS_CLASS_4_MINBANDWIDTH='28Kibit/s' QOS_CLASS_4_MAXBANDWIDTH='128Kibit/s' QOS_CLASS_4_PRIO='2' Like in the original example class 2 consumes only 20Kibit/s and leaves free bandwidth of 40Kibit/s. Classes 3 and 4 both need more bandwidth than available.
4. Packages QOS_FILTER_x_CLASS='25' By QOS_CLASS_x_DIRECTION it is set if a class belongs to up- or downstream. If a filter is set then queueing packets to an upstream class only upstream packets will be filtered and queued to the class mentioned. QOS_CLASS_x_DIRECTION defines the “direction ” of filtering. As of version 2.1 more than one target class can be set.
4. Packages QOS_FILTER_x_PORT Ports and port ranges can be set here, separated by spaces and combined in any manner. If this variable is empty traffic on all ports will be limited. Filtering for a port range from 5000 up to 5099 would look like this: QOS_FILTER_x_PORT=’5000-5099’ Another example: If traffic on ports 20 to 21, 137 to 139 and port 80 should be filtered to the same class this would look like this: QOS_FILTER_x_PORT='20-21 137-139 80' This variable can be empty.
4. Packages This is extremely important with asymetric connections (up- and downstream bandwidths differ) like used in most DSL lines. Those most likely have a small upstream that tends to reach its maximum rather fast. If ACK packets are normally queued this may end in the data server delaying its transaction to wait for ACK packets to come in. This results in download rates lower than they could be. So ACK packets have to bypass the “normal” packets in order to get to the data server as fast as possible.
4. Packages DSCP* Differentiated Services Code Point DSCP is a marking according to RFC 2474. This process has replaced TOS marking mostly since 1998. Filters on DSCP-classes can be configured as follows: QOS_FILTER_x_OPTION='DSCPef' QOS_FILTER_x_OPTION='DSCPcs3' Please note that DSCP is in capital letters while the class is lower case. The following classes can be used: af11-af13, af21-af23, af31-af33, af41-af43, cs1-cs7, ef und be (Standard) 4.18.2.
4. Packages o 1 F1 2 F2 3 F3 Figure 4.7.
4. Packages QOS_FILTER_1_OPTION='' QOS_FILTER_2_CLASS='2' QOS_FILTER_2_IP_INTERN='192.168.0.3' QOS_FILTER_2_IP_EXTERN='' QOS_FILTER_2_PORT='' QOS_FILTER_2_PORT_TYPE='' QOS_FILTER_2_OPTION='' QOS_FILTER_3_CLASS='3' QOS_FILTER_3_IP_INTERN='192.168.0.4' QOS_FILTER_3_IP_EXTERN='' QOS_FILTER_3_PORT='' QOS_FILTER_3_PORT_TYPE='' QOS_FILTER_3_OPTION='' Option QOS_INTERNET_DEFAULT_UP is set to 0 because upstream should not be regulated.
4.
4. Packages QOS_FILTER_1_IP_INTERN='192.168.0.2' QOS_FILTER_1_IP_EXTERN='' QOS_FILTER_1_PORT='80' QOS_FILTER_1_PORT_TYPE='client' QOS_FILTER_1_OPTION='' QOS_FILTER_2_CLASS='4' QOS_FILTER_2_IP_INTERN='192.168.0.2' QOS_FILTER_2_IP_EXTERN='' QOS_FILTER_2_PORT='' QOS_FILTER_2_PORT_TYPE='' QOS_FILTER_2_OPTION='' QOS_FILTER_3_CLASS='5' QOS_FILTER_3_IP_INTERN='192.168.0.
4. Packages o level 3 1 3 F1 2 4 level 2 5 6 level 1 F8 F2 level 0 F3 F4 F5 F6 F7 Figure 4.9.: Example 3 is for a second client PC divided in 2/3 http and 1/3 for the rest (2/6 and 1/6 of the whole bandwidth) this would happen: If both clients run at full load both get their half of the bandwidth. If the second one is not transferring http 2/6 of unused bandwidth are distributed not only to the second but to both PCs as decribed above. To avoid this subclasses are created.
4. Packages For upstream class number two should be the default class. The network device eth0 is set to 10Mibit/s. QOS_CLASS_N='2' QOS_CLASS_1_PARENT='0' QOS_CLASS_1_MINBANDWIDTH='127Kibit/s' QOS_CLASS_1_MAXBANDWIDTH='128Kibit/s' QOS_CLASS_1_DIRECTION='up' QOS_CLASS_1_PRIO='' This is the class for ACK (acknowledgement) packets. ACK packets are rather small and thus need only a minimum bandwidth. Because they should not be affected in any way they get 127Kibit/s. 1Kibit/s is left for the rest.
4. Packages 4.19. SSHD - Secure Shell, Secure Copy A secure shell enables you to open an encrypted connection with the fli4l router. By using secure copy files can be transmitted encrypted to the fli4l router. If in addition Public Key Login (Page 221) is used commands and file transfers can be executed driven by scripts from “outside”. As of version 2.1.7 only a SSH2 server is existing. 4.19.1.
4. Packages Figure 4.10.
4. Packages If you created a new host key set SSHD_CREATEHOSTKEYS back to ’no’ to avoid creating another host key on every reboot. If you log in to your fli4l router after updating the host key a warning message (depending on the ssh client you use) will appear to inform you about the changed host key. In this case this is normal because you just changed your host key. Follow the routine necessary for your ssh client to accept the changed host key permanently.
4. Packages ssh client. The public part of the key will be needed on the fli4l router and is provided to it by SSHD_PUBLIC_KEY_x or SSHD_PUBLIC_KEYFILE_x. For further informations see manual pages for ssh and its components res. the documentation for putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/). SSHD_PUBLIC_KEY_x Provide the public part of each user’s key here who should be able to access flil4 via ssh. The easiest way is cut and paste it from a terminal window.
4. Packages If dbclient’s known hosts should be saved permanently the file known_hosts from the directory /.ssh on the router has to be copied to config/etc/ssh. This works in the same as with a generated host key. In the following example the fli4l directory (fli4l’s boot medium is generated there) is found at /home/babel/fli4l-3.10.1 . All config files are in directory config.babel. cd /home/babel/fli4l-3.10.1 mkdir -p config.babel/etc/ssh scp fli4l:/.ssh/* config.babel/etc/ssh 4.19.3.
4. Packages OPT_FTP FTP-Client The ftp program can connect fli4l to a FTP server to move files between the two of them. FTP_PF_ENABLE_ACTIVE The setting FTP_PF_ENABLE_ACTIVE='yes' adds a rule to the packet filter that enables initiated active FTP. For FTP_PF_ENABLE_ACTIVE='no' such a rule has to be added to the PF_OUTPUT_%-array manually (if needed), for an example look here (Page 66). Passive FTP is always possible, neither this variable nor an explicit packet filter rule is needed then.
4. Packages OPT_NTTCP Network checks The program NTTCP can check network speed. On one side a server is started and on the other side the client. Start the server by executing nttcp -i -v. The server will wait for client requests. To test i.e. speed execute nttcp -t IP Adress of the server¡ on the client. This is how a started nttcp server looks like: fli4l-server 3.10.1~# nttcp -i -v nttcp-l: nttcp, version 1.
4. Packages OPT_RTMON Installs a tool that will track changes in routing tables. Primary used for debugging. OPT_SOCAT The program “socat” is more or less an enhanced version of the “netcat” program (Page 224) with more functionality. By using “socat” you may not only establish or accept various types of network connections, but also sent data to or read data from UNIX sockets, devices, FIFOs, and so on.
4.
4. Packages OPT_MTOOLS mtools provide some DOS-like commands for simpler handling of DOS media (copying, formatting, a.s.o.). Exact syntax of the commands can be found in the mtools documentation: http://www.gnu.org/software/mtools/manual/mtools.html OPT_SHRED Installs the program shred on the router which is used for secure erasing of block devices. OPT_YTREE File Manager Installs the File Manager Ytree on the router. 4.20.4. Developer-Tools OPT_OPENSSL The tool openssl can i.e.
4. Packages Dial-in data of some german providers Provider T-Mobile Vodafone E-Plus O2 (Vertragskunden) O2 (Prepaid-Kunden) Alice APN internet.t-mobile web.vodafone.de internet.eplus.de internet pinternet.interkom.de internet.
4. Packages UMTS_FILTER Default setting: UMTS_FILTER=’yes’ fli4l automatically hangs up if no traffic is going over the ppp0 interface in the hangup timeout time. Unfortunately also data transfers from outside count as relevant traffic i.e. P2P-clients like eDonkey. Since you will be nearly permanently contacted from outside nowadays it may happen that fli4l never hangs up an UMTS connection. Option UMTS_FILTER is helping here.
4. Packages ttyUSB0 for usbstick ttyS2 for pcmcia ttyACM0 for usbphone UMTS_CTRL (optional) Some adapter have more interfaces for modem control. If only one is existig status informations can only be read in ’Offline’ state. For Option Fusion UMTS Quad the interface is i.e. ttyUSB2. 4.21.2. Sample Configuration For RRDTOOL Depending on hardware it is possible to display signal strength and bit errors in OPT_HTTPD (Page 123). With OPT_RRDTOOL you can even record these values.
4. Packages • empeg - USB Empeg Mark I/II • ftdi_sio - USB FTDI Serial Converter • io_edgeport - Edgeport USB Serial • io_ti - Edgeport USB Serial • ipaq - USB PocketPC PDA • ir-usb - USB IR Dongle • keyspan - Keyspan USB to Serial Converter • keyspan_pda - USB Keyspan PDA Converter • kl5kusb105 - KLSI KL5KUSB105 chipset USB->Serial Converter • kobil_sct - KOBIL USB Smart Card Terminal (experimental) • mct_u232 - Magic Control Technology USB-RS232 converter • omninet - USB ZyXEL omni.
4. Packages 4.22.3. Mounting Of USB Devices Plugged USB devices will be detected automatically but must be mounted and unmounted ’by hand’. When plugging an USB stick it is recognized as a SCSI block device. For this reason is accomplished via device sd# for SuperFloppy devices or sd# Partition-number¡ for devices with a partition table. USB drives are treated as hard disks and addressed as sda1 and sdb1 if plugged in two USB ports.
4. Packages errors. Either the computer does not start at all (it even can’t be switched on) or the WLAN card is not found on PCI scan. WLAN cards are adressed as wlanX in base.txt’s IP_NET_X_DEV. If only one WLAN card is installed its name is wlan0. 4.23.1. WLAN Configuration OPT_WLAN Default setting: OPT_WLAN=’no’ Activates package Wireless LAN. WLAN_WEBGUI Default setting: WLAN_WEBGUI=’yes’ Aktivates the web interface for package Wireless LAN.
4. Packages WLAN_x_NOESSID Deactivates sending ESSID during beacon frames. Only valid with hostap_* driver and Firmware ¡= 1.6.3 in WLAN_MODE=’master’ This feature is optional and has to be added manually in config/wlan.txt. WLAN_x_CHANNEL Sets the transmission channel of the network.
4. Packages XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XX XXXX-XXXX-XX s: 5 characters¡ s: 6-13 characters¡ P: 1-64 characters¡ 128 Bit Hex-Key (X=0-F) 64 Bit Hex-Key (X=0-F) 64 Bit 128 Bit 128 Bit Using s:text is not compatible with the passphrase of the Windows drivers. Use a hex key instead! Windows mostly uses hex keys without hyphens ’-’. Using P: text¡ is compatible to passphrases of most (if not all) Windows WLAN drivers but only in 128 Bit mode.
4. Packages WLAN_x_WPA_DEBUG In case of problems with WPA set this variable to ’yes’ for the daemon to provide more verbose output for debugging. WLAN_x_AP Registers the node with an Access-Point. Specifiy the MAC address of the Access-Points here. If WLAN mode “master” was chosen before keep this variable empty. This option only makes sense if fli4l can’t find the AP by itself or should be bound to a preferred Access-Point. Only to be used in WLAN mode “managed”.
4. Packages If the file is deactivated WPS clients using it can not connect to the Access Point anymore. WPS-Clients connected with deactivated file are not affected. Default setting: WLAN_x_PSKFILE=’yes’ WLAN_x_BRIDGE As an alternative to package ADVANCED_NETWORKING you may specifiy the bridge to which the WLAN should be bound here. Example: WLAN_x_BRIDGE=’br0’ Attention: Use either ADVANCED_NETWORKING or this setting and not both! 4.23.2.
4.
4. Packages of them. The base device’s name is still wlan0, the next in VAP mode will be wlan0v2 a.s.o. For binding to a bridge please use WLAN_x_BRIDGE=’br0’! The maximum at the moment is up to 8x master depending on card and driver. 4.23.4. Switching WLAN on and off based on daytime with easycron By using the package easycron (Page 117) WLAN may be switched on and off based on a time schedule.
4. Packages • The programs perl and python In the following, characters printed bold represent keyboard input, the for the Enter key on your keyboard and executes entered commands. ê-character stands 4.24.1. The Sources - An Overview In the directory src you will find the following subdirectories: Directory fbr fli4l cross Content In this folder there is a custom build system based on the buildroot for uClibc (currently in version 0.9.33.2). FBR stands for “flil4-Buildroot”.
4. Packages Under the Buildroot directory ˜/.fbr/fbr--/buildroot the following directories are of interest: Directory output/sandbox output/target Content In this directory a subdirectory exists for each FBR package that holds the files of the package after being compiled. In the directory output/sandbox//target the files for the fli4l router can be found in this case.
4. Packages Variable FBR_ARCH Description This variable specifies the processor architecture for which the FBR (or FBR packages) should be built. If it is missing, x86 will be used. The supported architectures can be found below. The FBR currently supports the following architectures: Architecture x86 x86_64 Description Intel x86-Architecture (32-Bit), also known as IA-32. AMD x86-64-Architecture (64-Bit), also called Intel 64 or EM64T by Intel.
4. Packages remove all artifacts that have been generated during the last FBR build. You will have to confirm this action. 17 This is also useful to free used disk space. 4.24.3. Testing Of A Compiled Program If a program has been compiled with fbr-make it may also be tested on the development machine. Such a test will of course only work if the processor architecture of the developer machine matches the processor architecture the fli4l programs were compiled for.
4. Packages a crash a memory dump is generated in /var/log/dumps/core.. “PID” is the process ID of the crashed process. You may analyze the state of the program on a Linux machine with a fully compiled FBR as described below. The following example to be analyzed is the program /usr/sbin/collectd, which was terminated with a SIGBUS. The dump was stored in /tmp/core.collectd. fli4l@eisler:~$ .fbr/fbr-trunk-x86/buildroot/output/host/usr/bin/i586-linux-gdbê GNU gdb (GDB) 7.5.
4. Packages [New LWP 2241] [New LWP 2237] [New LWP 2234] [New LWP 2253] [New LWP 2254] [New LWP 2258] [New LWP 2260] Failed to read a valid object file image from memory. Core was generated by `collectd -f'. Program terminated with signal 7, Bus error. #0 0xb7705f5d in memcpy () from /project/fli4l/.fbr/fbr-trunk-x86/buildroot/output/target/lib/libc.so.0 (gdb) backtraceê #0 0xb7705f5d in memcpy () from /project/fli4l/.fbr/fbr-trunk-x86/buildroot/output/target/lib/libc.so.
4. Packages 717 rrd_file->pos += count; 718 return count; /* mimmic write() semantics */ 719 #else 720 ssize_t _sz = write(rrd_simple_file->fd, buf, count); (gdb) list 700ê 695 * rrd_file->pos of rrd_simple_file->fd. 696 * Returns the number of bytes written or <0 on error.
4. Packages and libraries should be identified that use libm (Library with mathematical functions) use fbr-make links-against libm.so.0 because libm.so.0 is the name of the libm library. A possible output would be: $ fbr-make links-against librrd_th.so.4ê Executing plugin links-against Files linking against librrd_th.so.4 collectd usr/lib/collectd/rrdcached.so collectd usr/lib/collectd/rrdtool.
4. Packages Reconfiguration Of The uClibc Library With fbr-make uclibc-menuconfig the funcionality of the uClibc library in use may be changed. On successful exit of the configuration menu, the new configuration is saved to src/fbr/buildroot/package/uclibc/uclibc.config.
4. Packages the changes to the SVN repository will be merged and the problem of lost configuration does not occur.) However, your own FBR packages may be reconfigured easily, without data loss occuring on an update. 4.24.8. Integrating Own Programs Into The FBR Compilation of the individual FBR packages is controlled by small Makefiles. If you want to develop your own FBR packages, you have to create a Makefile and a configuration description in ˜/.fbr/own//.
5. Creating the fli4l Archives/Boot media If all configuration is completed, the fli4l archives/boot media may be created as either bootable Compact-Flash, a bootable ISO image, or only the files needed for a remote update. 5.1. Creating the fli4l Archives/Boot media under Linux or other Unix derivatives and Mac OS X This is done by using scripts (.sh), which can be found in the fli4l root directory. mkfli4l.sh The Build Script recognizes the different boot types (Page 24).
5. Creating the fli4l Archives/Boot media Usage: mkfli4l.
5. Creating the fli4l Archives/Boot media are using this script at your own risk. The necessary fli4l files will be copied onto the specified partition. At first, run in the fli4l directory: sh mkfli4l.sh --hdinstallpath
This will generate the fli4l files and copy them to the CF-Card or USB Stick. To run the next steps, you have to make sure: • chmod 777 /dev/brain • superuser rights • installed syslinux • installed fdisk The script will ensure that this storage device is a FAT-partitioned USB-Drive.5. Creating the fli4l Archives/Boot media 5.2. Creating the fli4l Archives/Boot media under Windows Utilize the tool ‘AutoIt3’ (http://www.autoitscript.com/site/autoit/). This enables a ‘graphical’ edition, as well as dialogues which allow to change the variables described in the following sections. mkfli4l.bat The Build program automatically recognizes the different boot types (Page 24). The ‘mkfli4l.bat’ can be invoked directly from Windows Explorer, if you need no optional parameters.
5. Creating the fli4l Archives/Boot media config-dir sets other config-directory - default is "config" *** Remote-Update options --remoteupdate remote-update via scp, implies "--filesonly" --remoteuser user name for remote-update - default is "fli4l" --remotehost hostname or IP of remote machine - default is HOSTNAME set in [config-dir]/base.
5. Creating the fli4l Archives/Boot media fli4l-x.y.z\config.cd fli4l-x.y.z\config.hd fli4l-x.y.z\config.hd-create 5.2.3. Configuration dialog – General Preferences Figure 5.1.: Preferences In this dialogue the settings are specified for the archive/boot-media creation: • Build-Dir – Directory for the Archives/CD-Images/...
5. Creating the fli4l Archives/Boot media Using the button Current settings in mkfli4l.txt buffer the current settings can be stored in mkfli4l.txt. 5.2.4. Configuration dialog – Settings for Remote update Figure 5.2.
5. Creating the fli4l Archives/Boot media 5.2.5. Configuration dialog – Settings for HD pre-install Figure 5.3.: Settings for HD pre-install In this dialogue the options are set for HD pre-install on an accordingly partitioned and formatted Compact Flash card in a USB reader.
5. Creating the fli4l Archives/Boot media 5.3. Control file mkfli4l.txt Since fli4l-Version 2.1.9 the control file config¡/mkfli4l.txt exists. This file can e.g. be used to specify directories which differ from the standard settings. The control file has a similar structure as the normal fli4l configuration files. All configuration variables here are optional, i.e. they need not exist or they can be commented out. BUILDDIR Default: ‘build’ Specifies the directory where fli4l files will be created.
5. Creating the fli4l Archives/Boot media REMOTEREMOUNT Default: REMOTEREMOUNT=’no’ Possible values are ’yes’ or ’no’. If ’yes’ is set, a boot device "/boot" mounted read-only will be remounted read-write to allow remote updates of the boot files. TFTPBOOTPATH Path where the remote Netboot image is saved to. TFTPBOOTIMAGE Name of the Netboot image. PXESUBDIR Subdirectory for the PXE files relative to TFTPBOOTPATH. SQUEEZE_SCRIPTS Enable or disable the Squeezing (Compression) scripts.
6. Connecting PCs in the LAN For every host in the LAN you will have to set up: 1. IP address (see IP address) 2. Name of the host plus desired domain name (see Host and domain name) 3. Default gateway (see Gateway) 4. IP address of the DNS server (see DNS server) 6.1. IP address The IP address of the host has to belong to the same network as the IP address of the fli4l router (on the Ethernet interface), for example 192.168.6.2 in case the router has the IP address 192.168.6.1.
6. Connecting PCs in the LAN Properties ñ Extended. . . ñ DNS ñ Add DNS-Suffix ñ Type “lan.fli4l” (or the domain set up – without “”!) ñClick OK. 6.2.2. NT 4.0 Start ñ Settings ñ Control Center ñ Network ñ Protocols ñ TCP/IP ñ Properties DNS ñ ñ • Enter hostname (of the client) • Enter domain (same as in config/base.txt) • Add IP address of fli4l router • Add DNS suffix (add domain – see two lines above) 6.2.3.
6. Connecting PCs in the LAN Internetprotocol (TCP/IP) ñ Properties ñ Advanced. . . ñ DNS ñ DNS-Suffix for this connection ñ Specify “lan.fli4l” (resp. the domain you use) (without “”!) ñPress OK. 6.2.5. Windows 7 On Windows 7 the settings can be found at: Windows Button (ex. Start) ñ System settings ñ Network and Internet ñ Network- and Sharecenter ñ LAN-Connectionñ Properties ñ Internetprotocol Version 4 (TCP/IPv4) ñ Properties ñ Advanced . . . ñ DNS ñ DNS-Suffix for this connection ñ Specify “lan.
6. Connecting PCs in the LAN here (the Ethernet interface’s one) – for example 192.168.6.4, depending on the IP address that has been specified in the file config/base.txt for the router. It is wrong to enter fli4l as a proxy in the Windows or browser configuration unless you use a proxy on the router. Normally fli4l is not a proxy, thus please do not specify fli4l as a proxy! 6.4.
7. Client/Server interface imond 7.1. imon-Server imond imond is a network-capable server program that responds to certain queries or accepts commands that can control the router. imond also controls the Least-Cost-Routing. It uses the configuration file /etc/imond.conf, that is created automatically from the variables ISDN_CIRC_x_XXX from the file config/isdn.txt and other at boot time by a shell script. imond runs permanentely as daemon and listens on TCP/IP port 5000 and the device /dev/isdninfo.
7.
7.
7. Client/Server interface imond Using the imond command “timetable” you can have a look at it. Here an example: Supposing 3 circuits are defined: CIRCUIT_1_NAME='Addcom' CIRCUIT_2_NAME='AOL' CIRCUIT_3_NAME='Firma' Only the first two circuits have a default circuit defined, i.e. the corresponding variables ISDN_CIRC_x_ROUTE have the value ’0.0.0.0’. If the variables ISDN_CIRC_x_TIMES look like this: ISDN_CIRC_1_TIMES='Mo-Fr:09-18:0.0388:N Mo-Fr:18-09:0.0248:Y Sa-Su:00-24:0.
7. Client/Server interface imond 4 5 6 7 8 9 10 AOL AOL AOL AOL Firma Firma Firma yes no no no ippp1 ippp1 ippp1 ippp1 no no no 0.0190 180 0.0490 180 0.0190 180 0.0490 180 isdn2 0.0800 isdn2 0.0300 isdn2 0.0300 90 90 90 For circuit 1 (Addcom) there are three time ranges (1-3) defined. For circuit 2 (AOL) there are four time ranges (4-7) and for the last one there are three time ranges (8-10). In the time table, the indices are printed that are valid in the corresponding hour.
7. Client/Server interface imond Got everything? Using the command “route”, the LC routing can be enabled or disabled. If a positive circuit index is specified (1. . . N) the default route is changed to the circuit specified. If the index is 0, LC routing will be activated again and the active circuit is chosen automatically. 7.1.2.
7. Client/Server interface imond Light Green : Online and traffic on the channel Dark Green : Online and (nearly) no traffic on the channel imonc shows a behavior a little different from the Windows standard when clicking on the minimize button in the title bar. This minimizes imonc to the system tray only a tray icon near the clock remains. Double clicking on the tray icon with the left mouse button brings imonc’s window back to the foreground.
7. Client/Server interface imond the commands there another one exists: timesync. If used imonc will synchronize the clock of the client with the router’s clock. The command dialtimesync is not supported anymore, it is substituted by "dial; timesync". • /d:”fli4l-Directory” Pass the fli4l-directory as a start parameter. May be of interest when using more than one fli4l version. • /wait If the hostname can’t be reolved imonc will not exit anymore – start another try by doubleclicking the tray icon.
7. Client/Server interface imond each available channel which is online at the moment). This is of interest in case that several different connections exist, e.g. one to surf the Internet and another to a private net and only one of them should be terminated. If the telmond process is active on the router, imonc can show information about incoming phone calls (ie calling and called MSN) in addition. The last incoming phone call is displayed above the buttons.
7. Client/Server interface imond – Start with Windows: Specify here if the client should start automatically with system start. Provide necessary start-parameters in the field Parameter. – Fetch News from fli4l.de: Should news from fli4l’s homepage be fetched and displayed by imonc? Then headlines are shown in the status bar. A new page News is displayed to show the complete messages. – Logfile for Connections: The file name here is used to save connection lists locally on the imonc’s system.
7. Client/Server interface imond – Logfile: The file name you can specify here is used to save the call list locally on the computer. This menu item is only visible if the config variable TELMOND_LOG is set to ‘yes’ (this also applies to the call list). – Use External Search: In this area, a program may be specified that will be called when a phone number can not be resolved using the local phone book. Info should be provided by the corresponding program.
7. Client/Server interface imond As of version 1.5.2: on the page Names it is also possible to synchronize the local phone book with the router’s one (stored in /etc/phonebook) and vice versa. The files are not simply replaced but missing entries will be added. If a phone number exists in both phone books with different name you will be prompted for the entry to be taken.
7. Client/Server interface imond ∗ Start E-Mail-Client: Should the E-Mail-Client bes tarted automatically if new E-Mails were found? ∗ E-Mail-Client: Specify the E-Mail-Client to start. ∗ Param: Provide additional parameters for starting the E-Mail-Client. If using Outlook as E-Mail-Client (not Outlook Express), you should set /recyle as a parameter. This will use an already existing instance of Outlook when loading new E-Mails. • Admin – root-Password: Set the router password (PASSWORD in config/base.
7. Client/Server interface imond – Colors: Define the main colors for the Traffic Information window. It should be taken into account that the DSL channel and the first ISDN channel will be assigned the same color value. – Limits: Set the maximum transfer values for DSL here - upload and download. • The syslog area is used to configure the display of syslog messages.
7. Client/Server interface imond In the call overview you may right click on the number or MSN to copy it to the phone book and assign a name to it there which will shown instead from this point on. 7.2.6. Connections Page As of version 1.4 this page displays the connections established by the router. This helps to monitor the router’s behavior especially when automatic dialin is configured. IMOND_LOG in config/base.txt has to be set to ‘yes’ for this page to appear.
7. Client/Server interface imond 7.2.8. E-Mail Page This page is shown only if at least one POP3-E-Mail-account is configured and activated in the config dialog. The page E-Mail should be self-explaining. Here the E-Mail- Check is monitored. If the option “Check even if the router is offline” is not activated the E-Mail-Check will check all E-Mail-accounts for E-Mails in the specified tme interval when the router is online.
7. Client/Server interface imond 7.2.10. Error, Syslog and Firewall Pages Those pages are only visible if entries are present in the respective logs and imonc is in admin mode. An the errors page all imonc/imond-specific errors are noted. If problems occur reviewing this page may help. On the Syslog page all incoming Syslog messages are shown except for those of the firewall. They have an own page Firewall. In order for this to work the varable OPT_SYSLOGD in config/base.txt has to be set to ‘yes’.
7. Client/Server interface imond • Default-Route-Circuits • ISDN channels Status : Calling/Online/Offline Name : Phone number of the peer or the circuit-name Time : Online time Charge-Time : Online time considering the charge interval Charge : The actual charge Possible commands: Nr Command 0 quit 1 enable 2 disable 3 dial 4 hangup 5 reboot 6 timetable 7 dflt route 8 add channel 9 rem channel Meaning Quit program Activate Deactivate Dial Hang up Reboot Output timetable Set Default-Route-Circuit Add 2.
7. Client/Server interface imond 9 – remove channel Removes the second ISDN channel. See also “add channel”. Apart from that, the same annotations as for the windows client imonc.exe apply. A little remark: From fli4l-1.4 on, it is possible, to install a “minimalistic” imon client on the fli4l router itself using OPT_IMONC=’yes’ in package TOOLS. You will be able to change some settings, e.g. routing etc. on the fli4l console locally.
8. Documentation for Developers 8.1. Common Rules In order to include a new package in the OPT database on the fli4l homepage some rules must be obeyed. Packages that do not comply with these rules may be removed from the database without warning. 1. No file copy actions by the user! fli4l provides a sophisticated system to include the fli4l packages into the installation archives. All files that should go to the router are located in opt/. 2.
8. Documentation for Developers 8.3. Module Concept As of version 2.0 fli4l is split into modules (packages), i.e. • fli4l-3.10.1 — The Base Package • dns-dhcp • dsl • isdn • sshd • and much more... With the base package fli4l acts as a pure Ethernet router. For ISDN and/or DSL the packages isdn and/or dsl have to be unpacked to the fli4l directory. The same applies for the other packages. 8.3.1. mkfli4l Depending on the current configuration a file called rc.cfg and two archives rootfs.img and opt.
8. Documentation for Developers Option -c, - -config -x, - -check -l, - -log -p, - -package -i, - -info -v, - -verbose -h, - -help -d, - -debug Table 8.1.: Parameters for mkfli4l Meaning Declaration of the directory mkfli4l will scan for package config files (default: config) Declaration of the directory mkfli4l will scan for files needed for package error checking (.txt, .exp and .
8. Documentation for Developers 8.3.3. Configuration of Packages The user’s changes to the package’s configuration are made in the file config/.txt.
8. Documentation for Developers 1. The first column contains the name of a variable which triggers inclusion of the file referenced in the third column depending on its value in the package’s config file. The name of a variable may appear in the first column as often as needed if multiple files depend on it. Any variable that appears in the file opt/.txt is marked by mkfli4l. If multiple variables should be tested for the same value a list of variables (separated by commas) can be used instead.
8. Documentation for Developers Table 8.2.: Options for Files Option type= Meaning Type of the Entry: local file dir node symlink uid= gid= mode= flags= (type=file) Default Value local Filesystem Object File Directory Device (symbolic) Link This option has to be placed in front when given. The type “local” represents the type of an object existing in the file system and hence matches “file”, “dir”, “node” or “symlink” (depends).
8. Documentation for Developers • copy file if PCMCIA_PCIC='i82365', set uid/gid to root and the rights to 644 (rw-r--r--) pcmcia_pcic i82365 files/lib/modules/${KERNEL_VERSION}/pcmcia/i82365.ko • copy file if one of the NET_DRV_% variables matches the second field, set uid/gid to root and the rights to 644 (rw-r--r--) net_drv_% 3c503 3c503.ko • copy file if the variable POWERMANAGEMENT does not contain the value “none”: powermanagement !none etc/rc.d/rc100.
8. Documentation for Developers Files adapted by Configuration In some situations it is desired to replace original files with configuration-specific files for inclusion in the archive, i.e. host keys, own firewall scripts, . . . mkfli4l supports this scenario by checking whether a file can be found in the configuration directory and, if so, including this one instead in the file list for opt.img resp. rootfs.img.
8. Documentation for Developers If a variable does not depend on any OPT variables, it is considered active. If it is depending on an OPT variable, it is precisely active if • its OPT variable is active and • its OPT variable contains the value “yes”. In all other cases the variable is inactive. Hint: Inactive OPT variables will be set back to “no” by mkfli4l if set to “yes” in the configuration file, an appropriate warning will be generated then (i.e. OPT_Y='yes' is ignored, because OPT_X='no').
8. Documentation for Developers RE:yes|no. This is useful if a test is performed only once and is relatively easy. For more details see the next chapter. 5. Default Setting: In this column, an optional default value for the variables can be defined in the case that the variable is not specified in the configuration file. Hint: At the moment this does not work for array variables. Additionally, the variable can’t be optional (no “+” in front of the variable name).
8. Documentation for Developers be referenced in the file check/.txt. check/base.exp for example at the moment contains definitions for the known tests and check/isdn.exp a definition for the variable ISDN_CIRC_x_ROUTE (the absence of this check was the trigger for the changes). The syntax is as follows (again, double quotes can be used if needed): = '' : '' as an example check/base.
8. Documentation for Developers Expansion of Existing Regular Expressions If an optional package adds an additional value for a variable which will be examined by a regular expression, then the regular expression has to be expanded. This is done simply by defining the new possible values by a regular expression (as described above) and complement the existing regular expression in a separate check/.exp file. That an existing expression is modified is indicated by a leading “+”.
8. Documentation for Developers Extending Regular Expressions Depending on other Variables Alternatively, you may also use arbitrary values of variables as conditions, the syntax looks like this: +NET_DRV(KERNEL_VERSION=~'^3\.14\..*$') = ... If KERNEL_VERSION matches the given regular expression (if any of the kernels of the 3.14 line is used) then the list of network driver allowed is extended with the drivers mentioned.
8. Documentation for Developers • an empty pair of brackets stands for an “empty” expression • an expression in square brackets “[ ]” (see below) • a dot “.”, matching an arbitrary character, for example a “.+” matches any string containing at least one char • a “ˆ ” represents the beginning of a line, for example a “ˆ a.*” matches a string beginning with an “a” followed by any char like in “a” or “adkadhashdkash” • a “$” represents the end of a line • a “z” followed by one of the special characters ˆ .
8. Documentation for Developers IPADDR: Let’s have a look at an example with an IP4-address. An ipv4 address consists of four “Octets”, divided by dots (“.”). An octet is a number between 0 and 255. Let’s define an octet at first.
8. Documentation for Developers ./i586-linux-regexp -c ../check IPADDR 192.168.0.256 using predefined regular expression from base.exp adding IPADDR='((RE:OCTET)\.){3}(RE:OCTET)' ('^(((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))$') regex error 1 (No match) for value '192.168.0.256' and regexp '((RE:OCTET)\.){3}(RE:OCTET)' (unknown:-1) wrong value of variable cmd_var: '192.168.0.256' (invalid ipv4 address) 8.3.7.
8.
8. Documentation for Developers Then the character strings are rewritten as follows, if variable substitution is active in this context: "My router is called $HOSTNAME" # --> "My router is called fli4l" "HOSTNAME is part of the package %{HOSTNAME}" # --> "HOSTNAME is part of the package base" "@HOST_N is $HOST_N" # --> " # Number of hosts is 1" As you can see, there are basically three options for replacement: • $ resp. ${}: Replaces the variable name with the contents of the variable.
8. Documentation for Developers Definition of a Service with an associated Version Number: provides For instance, an OPT may declare that it provides a Printer service or a Webserver service. Only one package can provide a certain service. This prevents i.e. that two web servers are installed in parallel, which is not possible for obvious reasons, since the two servers would both register port 80. In addition, the current version of the service is provided so that updates can be triggered.
8. Documentation for Developers Communication with the User: warning, error, fatal_error Using these three functions users may be warned, signalized an errors or stop the test immediately. The syntax is as follows: • warning "text" • error "text" • fatal_error "text" All strings passed to these funtions are subject of variable substitution (Page 300). Assignments If for any reason a temporary variable is required it can be created by “set var [= value]”.
8. Documentation for Developers set s="a" set v1="$s" # v1="a" set s="b" set v2="$s" # v2="b" if (v1 == v2) then warning "equal" else warning "not equal" fi will output “not equal”, because the variables v1 and v2 replace the content of the variable s already at the time of assignment. Hint: A variable set in a script is visible while processing further scripts – currently there exists no such thing as local variables.
8.
8. Documentation for Developers The example checks whether a file exists in the current configuration directory. If OPENVPN_1_SECRET='test' is set in the configuration file, the loop in the first run checks for the existence of the file etc/openvpn/test.secret in the current configuration directory.
8. Documentation for Developers The RegEx has (only) matched with “/bin/” (only this part of the line is contained in the variable FGREP_MATCH_1). The first bracketed part in the expression only matches the first char after the first “/”, this is why only “b” is contained in FGREP_MATCH_2. The second bracketed part contains the rest after “b” up to the last “/”, hence “in” is noted in variable FGREP_MATCH_3. The following second example demonstrates an usual use of fgrep taken from check/base.ext.
8. Documentation for Developers If the elements generated by such a split should be in a numeric context (e.g. as indices) this has to be specified when calling split. This is done by the additional attribute “numeric”. Such a call looks as follows: split (, , , numeric) An example: set bar="1.2.3.4" split (bar, tmp_%, '.
8. Documentation for Developers if (opt_sshd) then foreach pkf in sshd_public_keyfile_% do stat("$config_dir/etc/ssh/$pkf", publickeyfile) if(publickeyfile_res == "OK") then add_to_opt "etc/ssh/$pkf" "mode=400 flags=utxt" else error "sshd: missing public keyfile %pkf=$pkf" fi done fi stat (Page 305) at first checks for the file existing in the configuration directory. If it is, it will be included in the archive, if not, mkfli4l will abort with an error message.
8. Documentation for Developers associated with this array. The control variable takes the values of the respective array variables. It should be noted that when processing optional array variables that are not present in the configuration, an empty element is generated.
8. Documentation for Developers Expressions Expressions link values and operators to a new value. Such a value can be an normal variable, an array element, or a constant (Number, string or version number). All string constants in expressions are subject to variable substitution (Page 300). Operators allow just about everything you could want from a programming language.
8. Documentation for Developers Match-Operator With the match operator =~ you can check whether a regular expression matches the value of a variable. Furthermore, one can also use the operator to extract subexpressions from a variable. After successfully applying a regular expression on a variable the array MATCH_% contains the parts found.
8. Documentation for Developers • the variable is active (if it depends on an OPT it has to be set to “yes”), • the variable was referenced in an opt/.txt-file and • whether a file was copied dependant on the current value. copy_pending will return “true” if it detects that during the last step no file was copied, the copy process hence still is “pending”. A small example of the use of all these functions can be found in check/base.
8. Documentation for Developers 8.3.8. Support for Different Kernel Version Lines Different kernel version lines often differ in some details: • changed drivers are provided, some are deleted, others are added • module names simply differ • module dependencies are different • modules are stored in different locations These differences are mostly handled automatically by mkfli4l.
8. Documentation for Developers The entire text documentation may not contain any tabs and has to have a line feed no later than after 79 characters. This ensures that the documentation can also be read correctly with an editor without automatic line feed. Also a documentation in LATEX-format is possible, with HTML and PDF versions generated from it. The documentation of fli4l may serve as an example here. A documentation framework for required LATEX-macros can be found in the package “template”.
8. Documentation for Developers LATEX-Basics LATEX is, just like HTML, “Tag-based” , only that the tags are called “commands” and have this format: \command resp. \begin{environment} . . . \end{environment} By the help of commands you should rather emphasize the importance of the text less the display. It is therefore of advantage to use \warning{Please␣do␣not...} instead of \emph{Please␣do␣not...} . Each command rsp.
8. Documentation for Developers 8.3.14. More Files All files, which will be copied to the router have to be stored under opt/etc/ and opt/files/. Be under • opt/etc/boot.d/ and opt/etc/rc.d/: scripts, that should be executed on system start • opt/etc/rc0.
8. Documentation for Developers #-------------------------------------------------------------------# /etc/rc.d/rc500.dummy - start my cool dummy server # # Creation: 19.07.2001 Sheldon Cooper # Last Update: 11.11.2001 Howard Wolowitz #-------------------------------------------------------------------- Now for the real stuff to start... 8.4.2. Handling of Configuration Variables Packages are configured via the file config/.txt.
8. Documentation for Developers the first argument of the begin_script-call (Page 319)). If no suitable medium should exist (which may well be), /var/lib/persistent is a directory in the RAM disk. Please note that the path returned by map2persistent is not created automatically – The caller has to do that by himself (ie. by calling mkdir -p ). The file /var/run/persistent.conf allows for checking if persistent data storage is possible. Example: . /var/run/persistent.
8. Documentation for Developers LOG_BOOT_SEQ Setting this variable to “yes” will cause bootlogd to log all console output during boot to the file /var/tmp/boot.log. This variable has “yes” as a default value. DEBUG_KEEP_BOOTLOGD Normally bootlogd is terminated at the end of the boot process. Activating this variable prevents this and thus allows for logging console output during the whole runtime.
8. Documentation for Developers 8.5. Using The Packet Filter 8.5.1. Adding Own Chains And Rules A set of routines is provided to manipulate the packet filter to add or delete so-called “chains” and “rules”. A chain is a named list of ordered rules. There is a set of predefined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING), using this set of routines more chains can be created as needed. add_chain/add_nat_chain : Adds a chain to the “filter-” or “nat-” table.
8. Documentation for Developers reject: This variable contains the chain to which is branched when a packet is rejected. After calling get_count the variable res contains the number of rules in the chain . This position is of importance because you can not simply use add_rule to add a rule at the end of the predefined “filter”-chains INPUT, FORWARD and OUTPUT.
8. Documentation for Developers # extension is available foo_p=yes # the actual extension, adding matches to match_opt do_foo() { param=$1 get_negation $param match_opt="$match_opt -m foo $neg_opt --fooval $param" } 2. Testing the extension: $ cd opt/etc/rc.d $ sh test-rules.sh 'foo:bar ACCEPT' add_rule filter FORWARD 'foo:bar ACCEPT' iptables -t filter -A FORWARD -m foo --fooval bar -s 0.0.0.0/0 \ -d 0.0.0.0/0 -m comment --comment foo:bar ACCEPT -j ACCEPT 3.
8. Documentation for Developers httpd-menu.sh add [-p ] [section] [realm] Thus, an entry with the name is inserted to the [section]. If [section] is omitted, it will be inserted in the section “OPT-Packages” as default. specifies the target of the new link. specifies the priority of a menu item in its section. If not set, the default priority used is 500. The priority should be a three digit number.
8. Documentation for Developers 8.6.4. Construction of a CGI script The headers All web server scripts are simple shell scripts (interpreter as e.g. Perl, PHP, etc. are much too big in filesize for fli4l). You should start with the mandatory script header (reference to the interpreter, name, what does the script, author, license). Helper Script cgi-helper After the header you should include the helper script cgi-helper with the following call: .
8. Documentation for Developers The Function show_html_header The show_html_header function expects a string as a parameter. This string represents the title of the generated page. It automatically generates the menu and includes associated CSS and language files as long as they can be found in the directories /srv/www/css resp. /srv/www/lang and have the same name (but of course a different extension) as the script. An example: /srv/www/admin/OpenVPN.cgi /srv/www/css/OpenVPN.css /srv/www/lang/OpenVPN.
8. Documentation for Developers The Function show_tab_header For good looking content of your generated webpage generated by the CGI you may use the cgi-helper function show_tab_header. It creates clickable “Tabs” in order to present your page divided into multiple logically separated areas. Parameters are always passed in pairs to the show_tab_header function. The first value reflects the title of a tab, the second reflects the link.
8. Documentation for Developers Multi-Language Capabilities The helper script cgi-helper furthermore contains functions to create multi-langual CGI scripts. You only have to use variables with a leading underscore (_) for all text output. This variables have to be defined in the respective language files. Example: Let lang/opt.de contain: _opt_dothis="Eine Ausgabe" Let lang/opt.en contain: _opt_dothis="An Output" Let admin/opt.cgi contain: ... echo $_opt_dothis ...
8. Documentation for Developers The Function show_warn This funtion displays a warning message in a yellow box. It expects two parameters: a title and a message. Example: show_info "Warning" "No connection at the moment!" The Function show_info This funtion displays an information or success message in a green box. It expects two parameters: a title and a message.
8. Documentation for Developers 8.6.5. Miscellaneous This and that (yes, also important!): • mini_httpd does not protect subdirectories with a password. Each directory must contain a .htaccess file or a link to another .htaccess file. • KISS - Keep it simple, stupid! • This information may change at any time without prior notice! 8.6.6. Debugging To ease debugging of a CGI script you may activate the debugging mode by sourcing the cgi-helper script. Set the variable set_debug to “yes” in order to do so.
8. Documentation for Developers 8.7.2. Start And Stop Scripts Scripts intended to be executed on system boot are located in the directories opt/etc/boot.d/ and opt/etc/rc.d/ and will also get executed in this sequence. Furthermore, scripts executed on shutdown are to be found in opt/etc/rc0.d/. Important: These script must not contain an “exit”, because no separate process is created for their execution. This command would lead to a premature ending of the boot process! Start Scripts in opt/etc/boot.
8. Documentation for Developers Number 000-099 100-199 200-299 300-399 400-499 500-900 900-997 998-999 Task Base system (hardware, time zone, file system) Kernel modules (drivers) External connections (PPPoE, ISDN4Linux, PPtP) Network (Routing, Interfaces, Packet filter) Server (DHCP, HTTPD, Proxy, a.s.o.) Any Anything causing a dialin reserved (please do not use!) 3.
8. Documentation for Developers assignments should be used. A path under /var/run/ makes sense for transient data, while for persistent data it is advised to use the function map2persistent (Page 318) combined with a suitable configuration variable. Stop Scripts in opt/etc/rc0.d/ Each machine must be shut down or restarted from time to time. It is perfectly possible that you have to perform operations before the computer is shut down or restarted.
8. Documentation for Developers Important: The module has to exist exactly by this name, no aliases may be used. When using an alias do_modprobe will be called immediately. Messages And Error Handling log_info : Logs a message to the console and to /bootmsg.txt. If no message is passed as a parameter log_info reads the default input. The function always returns 0. log_warn : Logs a warning message to the console and to /bootmsg.txt, using the string WARN: as a prefix.
8. Documentation for Developers Miscellaneous mk_writable : Ensures that the given file is writable. If the file is located on a volume mounted in read-only mode and is only linked to the file system via a symbolic link, a local copy will be created which is then written to. unique : Removes duplicates from a list passed. The result is returned in the variable list. 8.7.4. ttyI Devices For ttyI devices (/dev/ttyI0 . . .
8. Documentation for Developers Important: Since no separate process is created for these scripts, they may not invoke “exit” as well! Hint: If a script wants to check for ip-up scripts being executed the variable ip_up_events may be sourced from rc400 and up. If it is set to “yes” dialup-connections exist and ip-up scripts will be executed. No dialup-connections are configured if it is set to “no” and ip-up scripts will not get executed.
8. Documentation for Developers • configuration variables are stored for later use (opt/etc/rc.d/rc999.template) • stored configuration variables are processed (opt/files/usr/bin/template_show_config) 8.9. Structure of the Boot Medium As of version 1.5 the program syslinux is used for booting. Its advantage is that a DOScompatible file system is available on the boot medium. The boot medium contains the following files: ldlinux.sys syslinux.cfg kernel rootfs.img opt.img rc.cfg BOOT.MSG BOOT_S.MSG BOOT_Z.
8. Documentation for Developers 2. DNS configuration • etc/resolv.conf • etc/dnsmasq.conf • etc/dnsmasq_dhcp.conf • etc/resolv.dnsmasq 3. Hosts-File • etc/hosts 4. imond-configuration • etc/imond.conf 8.10.1. Provider Configuration For the providers chosen User-ID and password are adapted in etc/ppp/pap-secrets. Example for Provider Planet-Interkom: # Secrets for authentication using PAP # client server secret "anonymer" * "surfer" IP addresses * In this example “anonymer"’ is the USER-ID.
8. Documentation for Developers expand-hosts filterwin2k conf-file=/etc/dnsmasq_dhcp.conf 8.10.3. Hosts File This file contains a mapping of host names to IP addresses. This assignment, however, is used only locally on the flil4 and is not visible for other computers in the LAN. This file is actually redundant if a local DNS server is started in addition. 8.10.4. imond Configuration The file etc/imond.
A. Appendix to basepackage A.1. Null Modem Cable For using the otional package PPP (Page 185) a null modem cable is needed. It needs at least three wires.
A. Appendix to basepackage As a cable to the terminal or PC with terminal emulation a Null Modem Cable (Page 340) is used. Using a standard null modem cable is discouraged because these have bridges on the handshake wires. If Terminal or PC are powered off (or no terminal emulation is loaded) the use of a standard null modem cable can thus lead to a hangup. This is why a special wiring is needed here for using fli4l also when the terminal is deactivated.
A. Appendix to basepackage cat /proc/interrupts shows the interrupts used by the drivers – not those used by the hardware! More interesting files under /proc are devices, dma, ioports, kmsg, meminfo, modules, uptime, version and pci (if the router has a PCI-Bus). Often a connection problem with ipppd is caused by failing authentification. The variables OPT_SYSLOGD='yes' OPT_KLOGD='yes' in config/base.txt and ISDN_CIRC_x_DEBUG='yes' in config/isdn.txt can help here. A.6.
A. Appendix to basepackage A.9. Credits In this part of the documentation all people are honored that contribute or have contributed to the development of fli4l. A.9.1. Foundation Of The Project Meyer, Frank email: frank(at)fli4l(dot)de Frank started the Projekt fli4l on May, 4th 2000! See: http://www.fli4l.de/home/eigenschaften/historie/ A.9.2.
A.
A. Appendix to basepackage A.9.3.
A.
A. Appendix to basepackage A.10. Feedback Critics, feedback and cooperation are always welcome. The primary point of contact are the fli4l-Newsgroups. Those having problems in the setup of a fli4l-Routers, should at first read the FAQ, Howtos and the NG-Archives, before posting in the newsgroups. Informations on the different groups and netiquette can be found on the fli4l-Webseite: http://www.fli4l.de/hilfe/newsgruppen/ http://www.fli4l.de/hilfe/faq/ http://www.fli4l.
B. Appendixes to optional packages B.1. CHRONY - Inform other applications about timewarps If chrony notes that the clock is significantly away from the current time, it corrects the time in one great step and starts scripts to inform other applications about this timewarp. For example to inform imond about a timewarp, chrony does the following: 1. include scripts into the archive Chrony includes two files to the archive: start_imond start_imond yes yes etc/chrony.d/timewarp.
B.
B. Appendixes to optional packages These variables can be put in curly brackets to be cleary distinguishable from normal text, $ip i.e. becomes ${ip}. If using quotation marks it should be noted that within single quotes the variables mentioned above are not expanded while this works with double quotes. As a rule of thumb: Always use single quotes but when using variables double quotes are needed.
B. Appendixes to optional packages check/dyndns.exp In this file the provider name has to be added at the end of the long line starting with DYNPROVIDER = , seperated by a ’|’. doc/ Language¡/tex/dyndns/dyndns_main.tex Add a new paragraph to the documentation. The providers have to be sorted alphabetically by the short name given by the user in the config file. The prov-macro is documented at the beginning of the file, enough examples should be present. B.3.2.
B. Appendixes to optional packages parameter custom is optional. By using it you can set environment variables needed for the command used. If more than one variable has to be set separate them by a zz. Please do not change the environment variable PATH because otherwise the following crontab entries could not be executed correctly anymore. # # example I: normal use, 2 parameters # crontime="0 5 1 * *" croncmd="rotate_i_log.
B. Appendixes to optional packages • wrong disk is configured for the installation • Controller is not supported by fli4l.
B. Appendixes to optional packages B.6. HTTPD B.6.1. Additional Settings These variables are not present in the configuration and thus have to be added to it when needed. HTTPD_USER By using this option the web server can be run with the rights of another user than „root”. This is useful especially if the webserver should display other pages than the admin interface. Scripts that need access to configuration files possibly won’t run as expected then. Standard scripts will run with any user provided. B.6.
B. Appendixes to optional packages generic-pc PC keyboard LEDs: • keyboard::scroll • keyboard::caps • keyboard::num generic-acpi PC keyboard LEDs, like generic-pc pcengines-alix • alix::1 • alix::2 • alix::3 pcengines-apu • apu::1 • apu::2 • apu::3 pcengines-wrap • wrap::1 • wrap::2 • wrap::3 soekris-net4801 • net48xx::error soekris-net5501 • net5501::error B.7.2. Available Button Devices Depending on the HWSUPP_TYPE different GPIO devices are predefined for buttons.
B. Appendixes to optional packages pcengines-apu • gpio::252 pcengines-wrap • gpio::40 soekris-net5501 • gpio::25 The button is named ’Reset’ on the soekris case. Attention: the button must be enabled in BIOS. B.8. HWSUPP - Configuration examples B.8.1.
B. Appendixes to optional packages HWSUPP_LED_2='wlan' HWSUPP_LED_2_DEVICE='apu::2' HWSUPP_LED_2_WLAN='wlan0' HWSUPP_LED_3='online' HWSUPP_LED_3_DEVICE='apu::3' HWSUPP_BUTTON_N='1' HWSUPP_BUTTON_1='wlan' HWSUPP_BUTTON_1_DEVICE='gpio::252' HWSUPP_BUTTON_1_PARAM='wlan0' B.8.3.
B. Appendixes to optional packages 1. 2. 3. 4. b b b b b b b b b b b b b b b b b b b b ... ... ... ... The first sequence is displayed while processing rc002.* to rc250.* (1 * blink - pause), for rc250.* to rc500.* the second (2 * blink - pause), for rc500.* to rc750.* the third and for rc750.* until the end of the boot process the forth sequence (coninuous blinking). B.10.
B. Appendixes to optional packages fi fi done fi must be entered in HWSUPP_LED_\${i}_PARAM" LED Display The command /usr/bin/hwsupp_setled / has to be executed to set a LED in a package script (eg. /usr/bin/_setled) The LED number can be found in /var/run/hwsupp.conf. Status can be off, on or blink. Example: if [ -f /var/run/hwsupp.conf ] then . /var/run/hwsupp.
B. Appendixes to optional packages Parameter check The parameters which can be entered in HWSUPP_BUTTON_x_PARAM will be checked using check/myopt.ext . Example: if (opt_hwsupp) then depends on hwsupp version 4.0 fi foreach i in hwsupp_button_n do set action=hwsupp_buttonn_%[i] set param=hwsupp_button_%_param[i] if (action == "myopt") then add_to_opt "files/usr/bin/myopt_keyprog" "mode=555 flags=sh" if (!(param =~ "(RE:MYOPT_BUTTON_PARAM)")) then error "When HWSUPP_BUTTON_\${i}='myopt', ...
B. Appendixes to optional packages B.11.2. Tunnel Configuration Preparation At first you have to apply for the tunnel. This happens after registration via the menu item “request tunnel”. It is important to select “Dynamic IPv4 Endpoint using Heartbeat protocol” as the type of the tunnel in the second entry because this configuration is supported directly by the fli4l. The third variant “Static IPv4 Endpoint” is also possible if you own a dedicated IPv4 address that never changes.
B. Appendixes to optional packages In addition the username and password have to be specified in the tunnel configuration in variables IPV6_TUNNEL_1_USERID and IPV6_TUNNEL_1_PASSWORD. Finally set the variable IPV6_TUNNEL_1_TYPE to reflect that the configured tunnel is a SixXS tunnel: IPV6_TUNNEL_1_TYPE='sixxs' Example: If you got the PoP “deham01” with the IPv4-address 212.224.0.
B. Appendixes to optional packages established fully by SixXS yet. In the second case you should wait for some time because the configuration on the PoPs may last a few hours. If you double-checked the configuration and discovered no mistakes, and some time has elapsed without the tunnel working, you should contact SixXS by e-mail and describe the problem in detail. B.11.3. Configuration Of The Subnet Preparations If the tunnel is working you made the first major step. But you have not yet finished.
B. Appendixes to optional packages Long story short: The subnet must be made smaller. It has to become a /64 subnet for auto-configuration to work properly. But that’s easy: the subnet mask has to be changed to /64. If SixXS e.g. assigned the subnet 2001:db8:123::/48 then the subnet for fli4l is just set to 2001:db8:123::/64. In detail this means that the /48 subnet is divided in 2p64 48q 216 65536 sub-subnets. The first with the number zero is to be used with fli4l.
B. Appendixes to optional packages The last two settings are not absolutely necessary for a working IPv6 subnet but are very helpful. They serve to spread additional information on the IPv6 subnet, i.e. IPv6 address of the DNS server and the domain used. The DNS server even may be published in two ways. Because different systems have different preferences it is of advantage to activate both methods (RDNSS via router advertisements and DHCPv6).
B. Appendixes to optional packages This allows to notice that a packet first reaches fli4l (first line), then the other end of the tunnel (second row) and finally the global IPv6 internet (from the third line): C:\>tracert 2001:bf0:c000:a::2:132 Route tracing to virtualhost.in-berlin.
B. Appendixes to optional packages • remote IP will be set to 0.0.0.0 if nothing else is specified. Hence the routes configured by the kernel while initializing the interface will vanish. • additionally set routes will be saved in a file • if a netmask is given for the circuit it will be transferred to the ipppd in order to use it for the configuration of the interface (and therefore route generation) after negotiation of an IP.
B. Appendixes to optional packages B.12.2. Error Messages Of The ISDN-Subsystem (i4l-Documentation) Following is an excerpt from the Isdn4Linux Documentation (man 7 isdn_cause). Cause messages are 2-byte information elements, describing the state transitions of an ISDN line. Each cause message describes its origination (location) in one byte, while the cause code is described in the other byte.
B. Appendixes to optional packages 39 3A 3F 41 42 45 46 4F 51 52 53 54 55 56 58 5B 5F 60 61 62 63 64 65 66 6F 7F Bearer capability not authorised. Bearer capability not presently available. Service or option not available, unspecified. Bearer capability not implemented. Channel type not implemented. Requested facility not implemented. Only restricted digital information bearer. Service or option not implemented, unspecified. Invalid call reference value. Identified channel does not exist.
B. Appendixes to optional packages GT MAX HSUPA GX0301 yes PCMCIA, USB for the four Cardbus-adapters set PCMCIA_PCIC='yenta_socket' Icon 225 (GIO225) yes USB Huawei Adapter: E220, E230, E270 E510 E800 K3520 yes yes yes yes USB USB USB USB ZTE Adapter: MF110 MF190 yes yes USB USB B.13.2. Modem Interface Not Activated For some OPTION UMTS Sticks it may occur that the Modem interface which is needed for pppd is not activated.
B. Appendixes to optional packages you can activate the modem interface via the command: chat -e -t 1 '' "AT_OIFC=3,1,1,0" OK >/dev/ttyHS0
B.
B.
B.
B.
B.
List of Figures 3.1. Packet Filter Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2. Directory Structure fli4l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1. VPN configuration example — tunnel between two routers . 4.2. fli4l config directory with OpenVPN *.secret files . . . . . . 4.3. Connection Overview . . . . . . . . . . . . . . . . . . . . . . 4.4. Detail view of a connection (Keymanagement) . . . . . . . 4.5. fli4l in a standard configuration . . . . .
List of Tables 3.1. Overview of additional packages . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2. Automtically generated maximum number of simultaneous connections . . . . . 3.3. Table of available network adapter drivers; legend: v=virt, n=nonfree, vn=virtnonfree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4. Table of available WLAN adapter drivers; legend: v=virt, n=nonfree, vn=virtnonfree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index COLLECTION_INTERVAL, 85 BRIDGE_DEV_x_HELLO, 86 BRIDGE_DEV_x_MAX_MESSAGE_AGE, 86 BRIDGE_DEV_x_NAME, 84 BRIDGE_DEV_x_PRIORITY, 85 BRIDGE_DEV_x_STP, 85 BUILDDIR, 259 base.
Index DHCP_TYPE, 100 DHCP_VERBOSE, 100 DHCP_WINSSERVER_1, 100 DHCP_WINSSERVER_2, 100 DHCPRELAY_IF_N, 102 DHCPRELAY_IF_x, 102 DHCPRELAY_SERVER, 102 DIALMODE, 71 DMZ_LOG, 371 DMZ_NAT, 371 DMZ_ORANGE_RED_N, 371 DMZ_ORANGE_RED_x, 371 DMZ_ORANGE_ROUTER_N, 371 DMZ_ORANGE_ROUTER_x, 371 DMZ_RED_DEV, 371 DNS_AUTHORITATIVE, 97 DNS_AUTHORITATIVE_IPADDR, 97 DNS_AUTHORITATIVE_NS, 97 DNS_BIND_INTERFACES, 95 DNS_BOGUS_PRIV, 96 DNS_FILTERWIN2K, 96 DNS_FORBIDDEN_N, 95 DNS_FORBIDDEN_x, 95 DNS_FORWARD_LOCAL, 96 DNS_FORWARDERS
Index FILESONLY, 259 FLI4L_UUID, 27 FORWARD_DENY_PORT_N, 371 FORWARD_DENY_PORT_x, 371 FORWARD_HOST_N, 371 FORWARD_HOST_WHITE, 371 FORWARD_HOST_x, 371 FRITZDSL_CHARGEINT, 106 FRITZDSL_DEBUG, 105 FRITZDSL_FILTER, 107 FRITZDSL_FILTER_EXPR, 107 FRITZDSL_HUP_TIMEOUT, 106 FRITZDSL_MRU, 107 FRITZDSL_MTU, 107 FRITZDSL_NAME, 105 FRITZDSL_NF_MSS, 107 FRITZDSL_PASS, 105 FRITZDSL_PROVIDER, 110 FRITZDSL_TIMES, 106 FRITZDSL_TYPE, 110 FRITZDSL_USEPEERDNS, 105 FRITZDSL_USER, 105 ftp, 67 FTP_PF_ENABLE_ACTIVE, 224 DNS_ZONE_
Index IGMPPROXY_DEBUG2, 197 IGMPPROXY_DOWNLOAD_DEV, 197 IGMPPROXY_QUICKLEAVE_ON, 197 IGMPPROXY_UPLOAD_DEV, 197 IGMPPROXY_WHLIST_NET_x, 198 IGMPPROXY_WLIST_N, 197 IMOND_ADMIN_PASS, 70 IMOND_BEEP, 70 IMOND_DIAL, 71 IMOND_ENABLE, 71 IMOND_LED, 70 IMOND_LOG, 70 IMOND_LOGDIR, 70 IMOND_PASS, 69 IMOND_PORT, 69 IMOND_REBOOT, 71 IMOND_ROUTE, 71 IMOND_USE_ORIG, 371 INPUT_ACCEPT_PORT_N, 372 INPUT_ACCEPT_PORT_x, 372 INPUT_POLICY, 372 IP_CONNTRACK_MAX, 27 IP_DYN_ADDR, 71 IP_NET_N, 39 IP_NET_x, 39 IP_NET_x_COMMENT, 41 IP
Index ISDN_LZS_COMP, 150 ISDN_LZS_DEBUG, 150 ISDN_LZS_TWEAK, 150 ISDN_MEM, 146 ISDN_PORT, 146 ISDN_TYPE, 146 ISDN_VERBOSE_LEVEL, 149 IPV6_TUNNEL_x_MTU, 138 IPV6_TUNNEL_x_PASSWORD, 138 IPV6_TUNNEL_x_PREFIX, 137 IPV6_TUNNEL_x_REMOTEV4, 137 IPV6_TUNNEL_x_REMOTEV6, 138 IPV6_TUNNEL_x_TIMEOUT, 139 IPV6_TUNNEL_x_TUNNELID, 139 IPV6_TUNNEL_x_TYPE, 136 IPV6_TUNNEL_x_USERID, 138 irc, 67 ISDN_CIRC_N, 151 ISDN_CIRC_x_AUTH, 156 ISDN_CIRC_x_BANDWIDTH, 152 ISDN_CIRC_x_BUNDLING, 152 ISDN_CIRC_x_CALLBACK, 155 ISDN_CIRC_x_CB
Index 166 OPENVPN_x_CHECK_CONFIG, 173 OPENVPN_x_CIPHER, 173 OPENVPN_x_COMPRESS, 173 OPENVPN_x_CREATE_SECRET, 174 OPENVPN_x_DIGEST, 174 OPENVPN_x_DNSIP, 169 OPENVPN_x_DOMAIN, 168 OPENVPN_x_FLOAT, 174 OPENVPN_x_FRAGMENT, 177 OPENVPN_x_IPV6, 167 OPENVPN_x_ISDN_CIRC_NAME, 174 OPENVPN_x_KEYSIZE, 174 OPENVPN_x_LINK_MTU, 177 OPENVPN_x_LOCAL_HOST, 164 OPENVPN_x_LOCAL_PORT, 164 OPENVPN_x_LOCAL_VPN_IP, 167 OPENVPN_x_LOCAL_VPN_IPV6, 167 OPENVPN_x_MANAGEMENT_LOG_CACHE, 175 OPENVPN_x_MSSFIX, 176 OPENVPN_x_MUTE_REPLAY_WA
Index OPT_HDDRV, 122 OPT_HDINSTALL, 118 OPT_HDINSTALL_TEST, 373 OPT_HDSLEEP, 122 OPT_HOSTS, 93 OPT_HTTPD, 123 OPT_HW_DETECT, 227 OPT_HWSUPP, 128 OPT_I2CTOOLS, 227 OPT_IFTOP, 224 OPT_IGMPPROXY, 192, 196 OPT_IMONC, 224 OPT_IPERF, 224 OPT_IPV6, 134 OPT_ISDN, 145 OPT_ISDN_COMP, 150 OPT_IWLEEPROM, 227 OPT_KLOGD, 75 OPT_LOGIP, 75 OPT_LSPCI, 227 OPT_MAKEKBL, 31 OPT_MOUNT, 121 OPT_MOUNTFLOPPY, 372 OPT_MTOOLS, 227 OPT_NETCAT, 224 OPT_NETSTAT, 376 OPT_NGREP, 224 OPT_NTTCP, 224 OPT_OAC, 125 OPT_OPENSSL, 228 OPT_OPENVP
Index PF6_FORWARD_N, 142 PF6_FORWARD_POLICY, 141 PF6_FORWARD_REJ_LIMIT, 142 PF6_FORWARD_UDP_REJ_LIMIT, 142 PF6_FORWARD_x, 142 PF6_FORWARD_x_COMMENT, 142 PF6_INPUT_ACCEPT_DEF, 140 PF6_INPUT_ICMP_ECHO_REQ_LIMIT, 140 PF6_INPUT_ICMP_ECHO_REQ_SIZE, 140 PF6_INPUT_LOG, 140 PF6_INPUT_LOG_LIMIT, 140 PF6_INPUT_N, 140 PF6_INPUT_POLICY, 139 PF6_INPUT_REJ_LIMIT, 140 PF6_INPUT_UDP_REJ_LIMIT, 140 PF6_INPUT_x, 141 PF6_INPUT_x_COMMENT, 141 PF6_LOG_LEVEL, 139 PF6_OUTPUT_ACCEPT_DEF, 143 PF6_OUTPUT_LOG, 143 PF6_OUTPUT_LOG_LIMI
Index PF_USR_CHAIN_x_NAME, 56 PF_USR_CHAIN_x_RULE_N, 56 PF_USR_CHAIN_x_RULE_x, 56 PF_USR_CHAIN_x_RULE_x_COMMENT, 56 POWERMANAGEMENT, 27 PPP_DEV, 185 PPP_IPADDR, 185 PPP_NETMASK, 185 PPP_NETWORK, 185 PPP_PEER, 185 PPP_SPEED, 185 PPPOE_CHARGEINT, 106 PPPOE_CIRC_N, 373 PPPOE_CIRC_x_CHARGEINT, 373 PPPOE_CIRC_x_DEBUG, 373 PPPOE_CIRC_x_ETH, 373 PPPOE_CIRC_x_FILTER, 373 PPPOE_CIRC_x_HUP_TIMEOUT, 373 PPPOE_CIRC_x_MRU, 373 PPPOE_CIRC_x_MTU, 373 PPPOE_CIRC_x_NAME, 373 PPPOE_CIRC_x_PASS, 373 PPPOE_CIRC_x_TIMES, 373 PP
Index RCAPID_PORT, 161 REMOTEHOSTNAME, 259 REMOTEPATHNAME, 259 REMOTEPORT, 259 REMOTEREMOUNT, 259 REMOTEUPDATE, 259 REMOTEUSERNAME, 259 ROUTE_NETWORK, 372 PPTP_FILTER, 107 PPTP_FILTER_EXPR, 107 PPTP_HUP_TIMEOUT, 106 PPTP_MODEM_TYPE, 111 PPTP_NAME, 105 PPTP_PASS, 105 PPTP_TIMES, 106 PPTP_USEPEERDNS, 105 PPTP_USER, 105 PRESERVE, 372 PRIVOXY_MENU, 187 PRIVOXY_N, 187 PRIVOXY_x_ACTIONDIR, 188 PRIVOXY_x_ALLOW_N, 188 PRIVOXY_x_ALLOW_x, 188 PRIVOXY_x_CONFIG, 188 PRIVOXY_x_HTTP_PROXY, 188 PRIVOXY_x_LISTEN, 187 PRIV
Index UMTS_DEBUG, 228 UMTS_DEV, 230 UMTS_DIALOUT, 228 UMTS_DRV, 230 UMTS_FILTER, 229 UMTS_GPRS_UMTS, 229 UMTS_HUP_TIMEOUT, 229 UMTS_IDDEVICE, 230 UMTS_IDDEVICE2, 230 UMTS_IDVENDOR, 230 UMTS_IDVENDOR2, 230 UMTS_NAME, 229 UMTS_PASSWD, 229 UMTS_PIN, 228 UMTS_SWITCH, 230 UMTS_TIMES, 229 UMTS_USEPEERDNS, 229 UMTS_USER, 229 USB_EXTRA_DRIVER_N, 231 USB_EXTRA_DRIVER_x, 231 USB_EXTRA_DRIVER_x_PARAM, 232 USB_LOWLEVEL, 376 USB_MODEM_WAITSECONDS, 232 SYSLOGD_DEST_x, 73 SYSLOGD_RECEIVER, 73 SYSLOGD_ROTATE, 74 SYSLOGD_R
Index WLAN_x_ENC_x, 235 WLAN_x_ESSID, 234 WLAN_x_MAC, 234 WLAN_x_MAC_OVERRIDE, 234 WLAN_x_MODE, 234 WLAN_x_NOESSID, 234 WLAN_x_PSKFILE, 237 WLAN_x_RATE, 235 WLAN_x_RTS, 235 WLAN_x_WPA_DEBUG, 236 WLAN_x_WPA_ENCRYPTION, 236 WLAN_x_WPA_KEY_MGMT, 236 WLAN_x_WPA_PSK, 236 WLAN_x_WPA_TYPE, 236 WLAN_x_WPS, 237 Y2K_DAYS, 75 YADIFA_ALLOW_QUERY_N, 103 YADIFA_ALLOW_QUERY_x, 104 YADIFA_LISTEN_N, 103 YADIFA_SLAVE_ZONE_N, 104 YADIFA_SLAVE_ZONE_x, 104 YADIFA_SLAVE_ZONE_x_ALLOW_QUERY_N, 104 YADIFA_SLAVE_ZONE_x_ALLOW_QUERY_x
