Saturday, November 17, 2007

Running Apache and DHCP in Solaris 8

Quick Install

If you want to just get started and do not care about the details of what I did to create the Apache with mod_ssl package, you can do the following to install Apache:
Download (I will illustrate for Solaris 8 on SPARC):

apache-1.3.27-sol8-sparc-local.gzopenssl-0.9.6i-sol8-sparc-local.gz

Run
gunzip apache-1.3.27-sol8-sparc-local.gzgunzip openssl-0.9.6i-sol8-sparc-local.gz

and then, as root, run
pkgadd -d apache-1.3.27-sol8-sparc-localpkgadd -d openssl-0.9.6i-sol8-sparc-local


Put the directories, /usr/local/apache/bin and /usr/local/ssl/bin in your PATH. Put /usr/local/ssl/lib in your LD_LIBRARY_PATH:

vi /etc/profile
PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/local/ssl/bin:/usr/ccs/bin
LD_LIBRARY_PATH=/usr/lib:/usr/openwin/lib:/usr/dt/lib:/usr/ucblib:/usr/local/lib:/usr/local/ssl/lib
export PATH LD_LIBRARY_PATH


Set "Port 80, ServerAdmin admin@localhost" and "ServerName 127.0.0.1" in httpd.conf. Once you have the configuration the way you want it, you can run
/usr/local/apache/bin/apachectl start

tail /usr/local/apache/logs/error_log
[Sun Nov 18 00:26:35 2007] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows)
[Sun Nov 18 00:26:35 2007] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded
[Sun Nov 18 00:26:35 2007] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib

Using "truss -d /usr/local/pache/bin/httpd" show that there is missing /dev/urandom. To rectify this problem you need to enable it by running:

ln -s /dev/random /dev/urandom

After that rerun /usr/local/apache/bin/apachectl start
telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.



Solaris DHCP Client
To set a Solaris box as a dhcp client (assuming the ethernet device ishme0), there are two ways:
1) Create an empty /etc/hostname.hme0 and /etc/dhcp.hme0
2) # ifconfig hme0 plumb # ifconfig hme0 dhcp start

However, this sets the hostname to unknown unless you specify somethinglike the following in the dhcp server config.

host netra {
hardware ethernet 08:00:20:da:63:96;
option host-name "netra";
}

Alternately, according to http://www.rite-group.com/rich/solaris_dhcp.html, you can download http://www.rite-group.com/rich/set_hostname to /etc/init.d, with a symbolic link to it from /etc/rc2.d/S70set_hostname. Put the hostname in /etc/nodename.


To disable dhcp in Solaris simply remove the two files mentioned above.
Posted by at No comments:

Monday, September 10, 2007

PPTP Passthrough via Linux Kernel

As I was upgrading the linux kernel from Redhat 6.2 to kernel 2.4, I realized the firewall policy did not work for PPTP on GRE and 1732 although the policies were loaded correctly. I "grep -r pptp /lib/modules/2.4.35.1" but return NO result. It simply means kernel would not nat PPTP traffic.

After much research, I learned a new thing called "patch-o-matic" from PPTPConnection Tracking Wiki and Netfilter Extensions HOWTO, then came the SmoothWall article at section 3c explain in detail what it is and how to apply this netfilter patch to the kernel.

Section 3c: Patch netfilter/iptables and the kernel source
This patch is actually the most important of all of them, and has the actual pptp_conntrack, and gre_conntrack, modules in it. The netfilter team provides a very handy and easy to use scriptlet to automate this process to a very large degree. The patch-o-matic script will walk you through a series of dialogs informing you which patch is in the queue, what it does, and sometimes other bits of important info. You are then prompted to apply the patch, or skip it and move on to the next in the queue. The patch-o-matic-ng-20040621 set is rather large, with many, many patches in it, and this process may take about 20-30 mins to run through the first time. (After you have done it a million times, it doesn’t take but about 5 mins, lol.) Be aware that not all of the patches can be applied at the same time, some are buggy, some simply don’t work, and some are incompatible with each other.

Two Versions: patch-o-matic vs patch-o-matic-ng
The netfilter team switched from the patch-o-matic format to the patch-o-matic-ng format after iptables 1.2.9 was released in Dec. 2003.


What confused me was there are so many versions and snapshots under both patch groups, which one to use? Since I don't prefer to use perl so I have to go for patch-o-matic. But I failed to patch from linux-2.4.30 downward untill only at linux-2.4.28 I encounter a success. Even then while compiling linux-2.4.28 the error occurs:
gcc -D__KERNEL__ -I/usr/src/linux-2.4.28/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.27/include/linux/modversions.h -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_connlimit -c -o ipt_connlimit.o ipt_connlimit.c
ipt_connlimit.c: In function `init':
ipt_connlimit.c:219: `ip_conntrack_module' undeclared (first use in this function)
ipt_connlimit.c:219: (Each undeclared identifier is reported only once
ipt_connlimit.c:219: for each function it appears in.)
ipt_connlimit.c:220: warning: value computed is not used
ipt_connlimit.c: In function `fini':
ipt_connlimit.c:227: `ip_conntrack_module' undeclared (first use in this function)
ipt_connlimit.c:228: warning: value computed is not usedmake[2]: *** [ipt_connlimit.o] Error 1

I need to disable "Connections/IP limit match support" option using "make menuconfig" to eliminate the error. I continue my journey and get the error below:
gcc -D__KERNEL__ -I/usr/src/linux-2.4.28/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.27/include/linux/modversions.h -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_ULOG -c -o ipt_ULOG.o ipt_ULOG.c
ipt_ULOG.c: In function `ip_ulog_fn':
ipt_ULOG.c:379: `qlen' undeclared (first use in this function)
ipt_ULOG.c:379: (Each undeclared identifier is reported only once
ipt_ULOG.c:379: for each function it appears in.)make[2]: *** [ipt_ULOG.o] Error 1

There are two possible workarounds:
1. Before applying the netfilter path
vi patch-o-matic-20041009/pending/40_nf-log.patch
if (qlen >= loginfo.qthreshold) {
at line 466 change "qlen" to "ub->qlen"

OR

2. After applying the netfilter patch
vi /usr/src/linux-2.4.28/net/ipv4/netfilter/ipt_ULOG.cgo to 379 change "qlen" to "ub->qlen"

Try again and it was managed to compile. I came across a link about using PPTP over linux-2.4.28 with success.

Well, looking at the complexity, I have no choice but to go for patch-o-matic-ng now. Humm, I am thinking since I have the latest linux-2.4.35.1 (latest 15 Aug 2007) I need the latest snapshot of the time i.e. patch-o-matic-ng-20070909.tar.bz2. The steps below:


  1. cd /usr/src
  2. ln -s linux-2.4.35.1 linux
  3. cd /usr/local/src
  4. wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070909.tar.bz2
  5. tar xIf patch-o-matic-ng-20070909.tar.bz2
  6. cd patch-o-matic-ng-20070909
  7. ./runme extra
    Can't locate Pod/Usage.pm in @INC (@INC contains: /usr/lib/perl5/5.00503/i386-linux
    /usr/lib/perl5/5.00503 .) at ./runme line 14.BEGIN failed--compilation aborted at ./runme line 14.
  8. In Asus machine C:\Documents and Settings\Administrator\Desktop\Source\DF\Redhat 6.2 updates
    rpm -Uvh perl-5.6.1-36.1.72.i386.rpm perl-CPAN-1.59_54-36.1.72.i386.rpm
  9. ./runme extra
    Press 'y' if any patch failed then press 'n' to skip that patch
  10. Go to the linux source directory make menuconfig to enable all the netfilter features.

With all the hessles, to my disappointment it did not have PPTP NAT built in. It was confirmed by PPTPConnection Tracking Wiki under the section: With an older kernel - "I Didn't Listen". About patch-o-matic-ng, it said "They no longer support this [pptp] patch".

I suppose it is because the netfilter folks are focusing on kernel 2.6 which has the pptp patch rolled in official source tree. I set a side my frustration and said to myself let's forget about kernel 2.4 entirely and concerntrate only on kernel 2.6, anyway this is the direction of the furture.

I loaded in linux-2.6.22.5 and start the moduels nf_nat_pptp, nf_conntrack_pptp, nf_nat_proto_gre, nf_conntrack_proto_gre, nf_nat_ftp, and nf_conntrack_ftp in /etc/rc.d/rc.local. However the firewall policy still not working for PPTP NAT. From the information I gathered, I need to upgarde the iptables from iptables-1.2.7a (currently running). The steps below:

  1. cd /usr/src
  2. wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.5.tar.bz2
  3. tar xIf linux-2.6.22.6.tar.bz2
  4. ln -s linux-2.6.22.6 linux
  5. cd linux/include
  6. ln -s asm-i386 asm
  7. cat > linux/version.h # no need if it was compiled before
    #define LINUX_VERSION_CODE 132626
    #define KERNEL_VERSION(a,b,c) (((a) <<>
  8. cd /usr/inclue; ln -s /usr/src/linux/include/asm-generic
  9. cd /usr/src
  10. wget ftp://194.199.20.114/linux/fedora/core/development/source/SRPMS/iptables-1.3.7-2.src.rpm
  11. rpm -i iptables-1.3.7-2.src.rpm
  12. wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
  13. tar xIf iptables-1.3.8.tar.bz2
  14. ln -s iptables-1.3.8.tar.bz2 iptables
  15. cp /usr/src/redhat/SPECS/iptables.spec iptables-1.3.8
  16. cp /usr/src/redhat/SOURCES/iptables.init .
  17. cp /usr/src/redhat/SOURCES/iptables-config .
  18. tar cIf iptables-1.3.8.tar.bz2 iptables-1.3.8
  19. rpmbuild -ta iptables-1.3.8.tar.bz2
    ...
    Wrote: /usr/src/redhat/SRPMS/iptables-1.3.8-2.src.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-1.3.8-2.i386.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-ipv6-1.3.8-2.i386.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-devel-1.3.8-2.i386.rpm
  20. I have copied iptables-1.3.8.spec to development/source/patch/kernel folder.

Finally it works!
Posted by at No comments:

Thursday, January 4, 2007

Setup Netgear MA111 Wireless USB for Linux

Background
Someone happened to pass me an USB WIFI adapter sometime ago. The item was left idle on my desk for a while until recently I give a try on my new 2.4.33 kernel. Inside Netgear MA111 is a Prism chipset. There is an open source driver for this chipset from www.linux-wlan.com.


Getting Started
I took the following steps to complete the installation:

1. Download the source linux-wlan-ng-0.2.5.tar.gz to /usr/local/src
2. cd /usr/local/src; tar xvzf linux-wlan-ng-0.2.5.tar.gz
3. To make the module run "make config"
This will ask you one by one which module to compile:
-------------- Linux WLAN Configuration Script -------------

The default responses are correct for most users.

Build Prism2.x PCMCIA Card Services (_cs) driver? (y/n) [n]:
Build Prism2 PLX9052 based PCI (_plx) adapter driver? (y/n) [n]:
Build Prism2.5 native PCI (_pci) driver? (y/n) [y]:
Build Prism2.5 USB (_usb) driver? (y/n) [y]:
...

4. make all; make install - The driver and configuration programs are copied to the rightful place in your OS directory.


Create the Installer
1. Below is a shell script I create to make the installer to distribute to other system:
tar cvzf linux-wlan-ng-0.2.5.i386.tgz \
/etc/wlan \
/sbin/wlanctl-ng \
/sbin/nwepgen \
/sbin/wlancfg \
/sbin/prism2dl \
/lib/modules/2.4.33.4/linux-wlan-ng

2. If you want to create a kernel with WLAN installer, here the script:
tar czf kernel24-wlan-ng-i386.tgz \
/lib/modules/2.4.33.4 /boot/System.map-2.4.33.4 /boot/vmlinuz-2.4.33.4 \
/usr/src/redhat/RPMS/i386/modutils-* \
/etc/wlan \
/sbin/wlanctl-ng \
/sbin/nwepgen \
/sbin/wlancfg \
/sbin/prism2dl \
/lib/modules/2.4.33.4/linux-wlan-ng


Configuration
After you have install the new driver, you need to load it. According to the README found in linux-wlan-ng-0.2.5.tar.gz, the simplest way to do this is to add the following commands to your rc.local file:

modprobe prism2_pci [or prism2_usb/prism2_plx]
wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable
wlanctl-ng wlan0 lnxreq_autojoin ssid=linksys authtype=opensystem
ifconfig wlan0 netmask broadcast
route add default wlan0

The ssid can be empty if you do not have any, e.g.
wlanctl-ng wlan0 lnxreq_autojoin ssid= authtype=opensystem

Also add "alias wlan0 prism2_usb" for wlan0 to /etc/modules.conf.


Start up Automatically
I have tried this method and it works fine. But a better method is to load the driver using rc script. linux-wlan-ng-0.2.5.tar.gz comes with a rc script (linux-wlan-ng-0.2.5/etc/rc.wlan). You can copy and rename this file to /etc/rc.d/init.d/wlan. A minor modification to the content of the file is needed; edit /etc/rc.d/init.d/wlan on a) line 3 - change rc.wlan to wlan, b) line 5 - remove a hidden space at the end of chkconfig line. Save the file then run "chkconfig --add wlan; chkconfig wlan on" to enable it.

To test it run "service wlan start". However I realized that running it on the command line is OK, but when I restart the machine, the driver wasn't loaded automatically, after some debugging, I noted the problem was due to the standard USB core need more time to start up before loading prism driver. The workaround is insert "sleep 5" into /etc/rc.d/init.d/wlan at line 40.


Join a Wireless Network
When the drive is loading, it will attempt to associate with any access point within range. However, it is highly recommended to set up a configuration specifically for your network, using the following method:

This example assumes your network name/SSID is "linksys"
1. cp /etc/wlan/wlancfg-DEFAULT /etc/wlan/wlancfg-linksys
2. edit /etc/wlan/wlan.conf and change the SSID_wlan0 line to SSID_wlan0="linksys"
3. edit /etc/wlan/wlancfg-linksys, and make any necessary changes necessary to support your network, such as WEP and whatnot.

Again, if you do not use SSID just leave SSID_wlan0 blank.


Unresolved Problem
There is a problem I encounter which I have yet to find an answer, I hope you (reader of the article) can help me to get a solution. When I reboot the machine somehow the rc script is not executed by OS during unloading process; because of that the machine will hang on BIOS state. I believe it is caused by the USB adapter not properly shutdown (the LED light is still on).


References
1. linux-wlan-ng-0.2.5/REAME
2. Netgear MA111 USB Wireless Howto
3. Jacek Pliszka's wireless hints: 802.11b / Wi-Fi Linux USB
4. Wireless LAN resources for Linux
5. HOWTO Prism2 USB on Gentoo
6. Linux and Wireless LANs
7. Linux and WireLess Mobile AdHoc Networks - MANETs
8. Linux and Wireless LAN Access Points (Routers) - WLAN APs
9. Wireless LAN Sniffer Applications for Linux
10. Adding an External WireLess Antenna to a Laptop or Notebook
11. Adding a WireLess miniPCI Card to a Laptop or NoteBook
12. Prism II Access Point Mini-Howto
13. A Linux Wireless Access Point HOWTO
14. Installing and Configuring HostAP
15. Inside a Linksys Wap11
16. Atmel Wireless LAN Driver for Linux
17. The Linux ORiNOCO Driver
18. Prism2 USB 802.11b devices under Linux
19. Getwifi
20. Wireless Networking in the Developing World



This article is copyrighted by Victor Wu
Posted by at No comments:

Wednesday, November 29, 2006

Upgrade RedHat 6.2 Make Easy

I am a faithful Redhat 6.2 user up now 2006. Yes I know this version is antiuence and has long been outdated. However it is the most stable Linux version ever created. The kernel is 2.2.19 fully patched. Over the years since 2002, I have been wanting to upgrade the kernel to 2.4, this TODO list wasn't get executed due to extremely tie schedule I have with other commitments.

A week ago, I intend to use my pendrive on a Linux box equipped with the antiuence OS, I was so confident that it will be mounted successfully because the OS contains the USB patch. The pendrive was detected as SCSI device but when I run "mount /dev/sda1 /mnt/pendrive", the computer hangged! Eeerrrrr... I spent the whole night trying to get it to work but to no avail. I was so frustrated, I told myself look; it is time to move forward with a newer kernel i.e. 2.6.

It is a blessing in disguise, though I have not been doing anything for the upgrade all theses years, the kernel development by the Internet community goes on. I feel that I am kind of lucky to skip the entire 2.4 tree and jump straight to 2.6. Suddenly I am like a head of many people aound the globe who are still using 2.4, hehe!

All the time I thought upgrading the kernel and the operating environment is a pain and difficult; not until I experience it. It is not that hard though. A little bit regret of not willing to spend the time in those early day when kernel 2.4 was emerged (almost the same time in year 2002/2003).

Well, story a side, now let get our hand dirty to learn the trick.


Preparation
In order to compile kernel 2.6 source, it is required that you upgrade the operating environment to glibc-2.2.x. and the gcc compiler must be version 3 and above, otherwise no go. I search through RedHat CDs, the closer RPMs I can used is from RedHat 8.0. Formally RedHat kept all CD files in http://ftp.redhat.com/, but it was later transfered to http://download.fedoralegacy.org/ in year 2005.

Get the glibc version 2.2 with the following RPMs:




Obtain gcc version 3 with the RPMs below:







Procedure



Start up the RedHat 6.2 Linux box. At the root prompt run wget to downloaded all the necessary RPM files into /usr/local/src. Once it is done change to the directory with cd command. Run this command:



rpm -Uvh --nodeps gcc* cpp* libstd* glib*



The command must in one line and all the RPM files must be pass in as parameter in one go, you are not suppose to break it into multiple rpm commands. The dependency issue will confuse you.



Beside glibc and gcc, you need to also upgrade some utilities:





  1. sed-4.0.5-1.src.rpm from Redhat-9 Sources to resolve error: Unknown option to 's'


  2. binutils-2.15.94.0.2.2-2.1.src.rpm from Fedora Core 4 Upgrades Sources to resolve error: Writing section .bss to huge (ie negative)


  3. Upgrade rpm packages rpm-4.0.4-7x.i386.rpm, rpm-build-4.0.4-7x.i386.rpm, rpm-devel-4.0.4-7x.i386.rpm, rpm-perl-4.0.4-7x.i386.rpm, and rpm-python-4.0.4-7x.i386.rpm from fedoralegacy/redhat/7.2/updates mirror site. Run "rpm -Uvh rpm-*" in one pass to upgrade it.


  4. module-init-tools-3.1-0.pre5.3.4.src.rpm from Updates for Redhat-EL 4AS Sources


Upon upgrading the operating environment, compiler, and the utility programs mentioned above you can begin to build the new kernel. Observe these steps:





  1. Download kernel-2.6.18.src.rpm from rpmfind.net


  2. rpm -i kernel-2.6.18.src.rpm # only interest in the sample "config" files


  3. cd /usr/src


  4. wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.gz # latest kernel at this point of writing


  5. tar xzf linux-2.6.18.tar.gz


  6. ln -s linux-2.6.18 linux


  7. cd linux/include


  8. ln -s asm asm-i386; ln -s asm-generic /usr/include


  9. cd ..


  10. cp /usr/src/redhat/SOURCES/kernel-2.6.18-i686.config .config # .config is with a leading dot


  11. make menuconfig # one you in blue screen, just exit and save


  12. make


  13. make install


If you want to use netfilter for NAT, you need to enable IPv4 connection tracking (Networking/Networking options/Network packet filtering framework/IP: Netfilter configuration/IPv4 connection tracking support) and you then should get the "Full NAT" configuration option.



There is a new module utility associated with kernel 2.6 called module-init-tools. Download module-init-tools-3.1-3.src.rpm from Fedora Core 4 Sources. Take the following step to compile and install:





  1. rpm -i module-init-tools-3.1-3.src.rpm


  2. cd ../SPECS


  3. vi module-init-tools.spec # Modify the following lines:


  4. # Line 15: delete "docbook-utils"


  5. # Line 28: right under %build add a line "ln -s /bin/true /bin/docbook2man" to fool module-init-tools-3.1/Makefile.in


  6. # Line 29 and 36: delete "-DCONFIG_NO_BACKWARDS_COMPAT=1"


  7. # Line 55: add a "i386-init-tools-" in front of lsmod -> "i386-init-tools-lsmod"


  8. # Line 57: replace with "install -m 755 insmod-static $RPM_BUILD_ROOT/sbin/i386-redhat-linux-insmod.static"


  9. # Line 76: at %post append a script to do "Makefile.in: make moveold" and create links to i386-redhat-linux-*


  10. # Optional: Appending "i386-redhat-linux-" is a common problem with some build files that think you're crosscompiling, and when you really are, this is in fact a feature :-/The workaround is to pass an extra argument to configure as follows :
    %configure --program-prefix=%{?_program_prefix:%{_program_prefix}


  11. rpm -bb module-init-tools.spec


  12. # You may now install module-init-tools


  13. rpm -i --force /usr/src/redhat/RPMS/i386/module-init-tools-3.1-3.i386.rpm


  14. I have copied module-init-tools.spec to development source/patch/modules-init-tools folder.


After installing the new kernel and rebooted, you will realize that modules are not loaded at all. In order to autoload kernel modules you need to modify /etc/rc.d/rc.sysinit to use kallsyms. At line 233 copy and paste ksyms line and replace it with "elif" and "kallsyms". Since kernel 2.6 uses modprobe.conf, you may run "generate-modprobe.conf /etc/modprobe.conf" or alternatively just copy modules.conf to modprobe.conf (it works for me.)



Done, that's it! No sweat isn't it.



Please note that you need a proper operating environment to compile new kernel. Once you have a new kernel binary you may install to another RedHat 6.2 machine. The machine need not have new glibc or the upgraded utility to run the kernel. The kernel is independant to the operatng environment.





Conclusion



Numerous try and error have been performed; much patience, endurance, and energy have been put in over sleepless nights. All the hard work has been digested and I have slimlined the proceduce for you. From time to time I will refine this article when needed. I hope this article will provide help and shed light to people who want to upgrade (NOT migrade) RedHat 6.2 to latest 2.6 kernel.






Posted by at No comments:
Subscribe to: Posts (Atom)