HardenedBSD/share/FAQ/slip_server.FAQ

434 lines
18 KiB
Plaintext
Raw Normal View History

Slip Server
FAQ
For
FreeBSD
$Id$
Help for setting up SLIP Server services on a FreeBSD system
------------------------------------------------------------
Written by Guy Helmer (ghelmer@alpha.dsu.edu)
Last Updated December 13, 1994
This document provides suggestions for setting up SLIP Server services
on a FreeBSD system, which typically means configuring your system to
automatically startup connections upon login for remote SLIP clients.
I've written this document based on my own experience; however, as
your system and needs may be different, this document may not answer
all of your questions, and I cannot be responsible if you damage your
system or lose data due to attempting to follow the suggestions here.
I have only setup SLIP Server services on a FreeBSD 1.1 system, so if
you are running a different version (such as FreeBSD 2.0), your system
may be different. I've decided to write this document since I've
recently been asked for the umpteenth time how to setup a FreeBSD
machine as a SLIP server :-)
1. Prerequisites
----------------
This document is very technical in nature, so background knowledge is
required. I must assume that you are familiar with the TCP/IP network
protocol, and in particular, network and node addressing, network
address masks, subnetting, routing, and routing protocols, such as
RIP. Configuring SLIP services on a dial-up server requires a
knowledge of these concepts, and if you are not familiar with them,
please read a copy of either Craig Hunt's "TCP/IP Network
Administration" published by O'Reilly & Associates, Inc. (ISBN Number
0-937175-82-X), or Douglas Comer's book on the TCP/IP protocol.
I will assume that you have already setup your modem(s) and configured
the appropriate system files to allow logins through your modems (see
the manual pages for sio(4) for information on the serial port device
driver and ttys(5), gettytab(5), getty(8), & init(8) for information
relevant to configuring the system to accept logins on modems, and
perhaps stty(1) for information on setting serial port parameters
[such as "clocal" for directly-connected serial interfaces]).
2. Quick Overview
-----------------
In its typical configuration, using FreeBSD as a SLIP server works as
follows: a SLIP user dials up your FreeBSD SLIP Server system and logs
in with a special SLIP login ID that uses "/usr/sbin/sliplogin" as the
special user's shell. The "sliplogin" program browses the file
"/etc/slip.hosts" to find a matching line for the special user, and if
it finds a match, connects the serial line to an available SLIP
interface and then runs /etc/slip.login to configure the SLIP
interface.
2.1 An Example of a SLIP Server Login
-------------------------------------
For example, if my SLIP user ID were "Shelmerg", that user's entry in
/etc/master.passwd would look something like this (except it would be
all on one line):
Shelmerg:password:1964:89::0:0:Guy Helmer - SLIP:
/usr/users/Shelmerg:/usr/sbin/sliplogin
and, when I log in with that user ID, "sliplogin" will search
/etc/slip.hosts for a line that had a matching user ID; on my system,
I may have a line in /etc/slip.hosts that reads:
Shelmerg dc-slip sl-helmer 0xfffffc00 autocomp
sliplogin will find that matching line, hook the serial line I'm on
into the next available SLIP interface, and then execute
/etc/slip.login like this:
/etc/slip.login 0 19200 Shelmerg dc-slip sl-helmer 0xfffffc00 autocomp
If all goes well, /etc/slip.login will issue an "ifconfig" for the
SLIP interface to which sliplogin attached itself (slip interface 0,
in the above example, which was the first parameter in the list given
to slip.login) to set the local IP address (dc-slip), remote IP
address (sl-helmer), network mask for the SLIP interface (0xfffffc00),
and any additional flags (autocomp). If something goes wrong,
sliplogin usually logs good informational messages via the daemon
syslog facility, which usually goes into /var/log/messages (see the
manual pages for syslogd(8) and syslog.conf(5), and perhaps check
/etc/syslog.conf to see to which files syslogd is logging).
OK, enough of the examples -- let's dive into setting up the system.
3. Kernel Configuration
-----------------------
FreeBSD's default kernels usually come with two SLIP interfaces
defined (sl0 and sl1); you can use "netstat -i" to see whether these
interfaces are defined in your kernel.
Sample output from "netstat -i":
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ed0 1500 <Link>0.0.c0.2c.5f.4a 291311 0 174209 0 133
ed0 1500 138.247.224 ivory 291311 0 174209 0 133
lo0 65535 <Link> 79 0 79 0 0
lo0 65535 loop localhost 79 0 79 0 0
sl0* 296 <Link> 0 0 0 0 0
sl1* 296 <Link> 0 0 0 0 0
The sl0 and sl1 interfaces shown in "netstat -i"'s output indicate
that there are two SLIP interfaces built into the kernel. (The
asterisks after the "sl0" and "sl1" indicate that the interfaces are
"down".)
However, FreeBSD's default kernels do not come configured to forward
packets (ie, your FreeBSD machine will not act as a router) due to
Internet RFC requirements for Internet hosts (see RFC's 1009
[Requirements for Internet Gateways], 1122 [Requirements for Internet
Hosts -- Communication Layers], and perhaps 1127 [A Perspective on the
Host Requirements RFCs]), so if you want your FreeBSD SLIP Server to
act as a router, you'll have to add the line "options GATEWAY" to your
machine's kernel configuration file and re-compile the kernel anyway.
(Trivia: "Gateways" are the Internet's old name for what are now
usually called "routers".)
Please see the BSD System Manager's Manual chapter on "Building
Berkeley Kernels with Config" [the source for which is in
/usr/src/share/doc/smm] and the "FreeBSD Configuration Options" [in
/sys/doc/options.doc] for more information on configuring and building
kernels. You may have to unpack the kernel source distribution if
haven't installed the system sources already (srcdist/srcsys.?? in
FreeBSD 1.1, srcdist/sys.?? in FreeBSD 1.1.5.1, or the entire source
distribution in FreeBSD 2.0-RELEASE) to be able to configure and build
kernels.
You'll notice that near the end of the default kernel configuration
file (/sys/i386/conf/GENERICAH) is a line that reads:
pseudo-device sl 2
which is the line that defines the number of SLIP devices available in
the kernel; the number at the end of the line is the maximum number of
SLIP connections that may be operating simultaneously.
See the "Building Berkeley Kernels with Config" and the manual page
for config(8) to see how to configure and build kernels.
4. Sliplogin Configuration
--------------------------
As mentioned earlier, there are three files in the /etc directory that
are part of the configuration for /usr/sbin/sliplogin (see
sliplogin(8) for the actual manual page for sliplogin): slip.hosts,
which lists the SLIP users & their associated IP addresses;
slip.login, which usually just configures the SLIP interface; and
slip.logout, which undoes slip.login's effects when the serial
connection is terminated.
4.1 slip.hosts Configuration & Local and Remote Address Selection
-----------------------------------------------------------------
/etc/slip.hosts contains lines which have at least four items listed:
a SLIP user's login ID, the local address (local to the SLIP server)
of the SLIP link, the remote address of the SLIP link, and the network
mask. The local and remote addresses may be host names (given in
/etc/hosts or by the domain name service, depending on your
specifications in /etc/host.conf), and I believe the network mask may
be a name that can be resolved by a lookup into /etc/networks. On one
of my systems, /etc/slip.hosts looks like this:
----- begin /etc/slip.hosts -----
#
# login local-addr remote-addr mask opt1 opt2
# (normal,compress,noicmp)
#
Shelmerg dc-slip sl-helmerg 0xfffffc00 autocomp
----- end /etc/slip.hosts ------
At the end of the line is one or more of the options:
"normal" - no header compression
"compress" - compress headers
"autocomp" - compress headers if the remote end allows it
"noicmp" - disable ICMP packets (so any "ping" packets won't use up
any of your bandwidth)
Your choice of local and remote addresses for your SLIP links depends
on whether you are going to dedicate a TCP/IP subnet or if you are
going to use "proxy ARP" on your SLIP server (it's not "true" proxy
ARP, but that is the terminology that I will use in this document to
describe it). If you're not sure which method to select or how to
assign IP addresses, please refer to the TCP/IP books referenced in
the "Prerequisites" section and/or consult your IP network manager.
If you are going to use a separate subnet for your SLIP clients, you
will need to allocate the subnet number out of your assigned IP
network number and assign each of your SLIP client's IP numbers out of
that subnet; then you will probably either need to configure a static
route to the SLIP subnet via your SLIP server on your nearest IP
router, or install "gated" on your FreeBSD SLIP server and configure
it to talk the appropriate routing protocols to your other routers to
inform them about your SLIP server's route to the SLIP subnet.
Otherwise, if you will use the "proxy ARP" method, you will need to
assign your SLIP client's IP addresses out of your SLIP server's
Ethernet subnet, and you'll also need to adjust your /etc/slip.login
and /etc/slip.logout scripts to use arp(8) to manage the proxy-ARP
entries in the SLIP server's ARP table.
4.2 slip.login Configuration
----------------------------
The typical /etc/slip.login file looks like this:
----- begin /etc/slip.login -----
#!/bin/sh -
#
# @(#)slip.login 5.1 (Berkeley) 7/1/90
#
# generic login file for a slip line. sliplogin invokes this with
# the parameters:
# 1 2 3 4 5 6 7-n
# slipunit ttyspeed loginname local-addr remote-addr mask opt-args
#
/sbin/ifconfig sl$1 inet $4 $5 netmask $6
----- end /etc/slip.login -----
This slip.login file merely ifconfig's the appropriate SLIP interface
with the local and remote addresses and network mask of the SLIP
interface.
If you have decided to use the "proxy ARP" method (instead of using a
separate subnet for your SLIP clients), your /etc/slip.login file will
need to look something like this:
----- begin /etc/slip.login for "proxy ARP" -----
#!/bin/sh -
#
# @(#)slip.login 5.1 (Berkeley) 7/1/90
#
# generic login file for a slip line. sliplogin invokes this with
# the parameters:
# 1 2 3 4 5 6 7-n
# slipunit ttyspeed loginname local-addr remote-addr mask opt-args
#
/sbin/ifconfig sl$1 inet $4 $5 netmask $6
# Answer ARP requests for the SLIP client with our Ethernet addr
/usr/sbin/arp -s $5 00:11:22:33:44:55 pub
----- end /etc/slip.login for "proxy ARP" -----
The additional line in this slip.login, "arp -s...", creates an ARP
entry in the SLIP server's ARP table which asks the system to give out
the SLIP server's Ethernet MAC address whenever a another system or
router on the Ethernet asks to speak to the SLIP client's IP address.
When using the example above, be sure to replace the Ethernet MAC
address (00:11:22:33:44:55) with the MAC address of your system's
Ethernet card, or your "proxy ARP" will definitely not work! You can
discover your SLIP server's Ethernet MAC address by looking at the
results of running "netstat -i"; the second line of the output should
look something like:
ed0 1500 <Link>0.2.c1.28.5f.4a 191923 0 129457 0 116
^^^^^^^^^^^^^^^
which indicates that this particular system's Ethernet MAC address is
"00:02:c1:28:5f:4a" -- the periods in the Ethernet MAC address given
by "netstat -i" must be changed to colons and leading zeros should be
added to each single-digit hexadecimal number to convert the address
into the form that arp(8) desires; see the manual page on arp(8) for
complete information on usage.
Note that when you create /etc/slip.login and /etc/slip.logout, the
"execute" bit ("chmod 755 /etc/slip.login /etc/slip.logout") must be
set, or sliplogin will be unable to execute it.
4.3 slip.logout Configuration
-----------------------------
"/etc/slip.logout" isn't strictly needed, but if you decide to create
it, this is an example of a basic slip.logout script:
----- begin /etc/slip.logout -----
#!/bin/sh -
#
# slip.logout
#
# logout file for a slip line. sliplogin invokes this with
# the parameters:
# 1 2 3 4 5 6 7-n
# slipunit ttyspeed loginname local-addr remote-addr mask opt-args
#
/sbin/ifconfig sl$1 down
----- end /etc/slip.logout -----
If you are using "proxy ARP", you'll want to have /etc/slip.logout
remove the ARP entry for the SLIP client:
----- begin /etc/slip.logout for "proxy ARP" -----
#!/bin/sh -
#
# @(#)slip.logout
#
# logout file for a slip line. sliplogin invokes this with
# the parameters:
# 1 2 3 4 5 6 7-n
# slipunit ttyspeed loginname local-addr remote-addr mask opt-args
#
/sbin/ifconfig sl$1 down
# Quit answering ARP requests for the SLIP client
/usr/sbin/arp -d $5
----- end /etc/slip.logout for "proxy ARP" -----
The "arp -d $5" removes the ARP entry that the "proxy ARP" slip.login
added when the SLIP client logged in.
It bears repeating: make sure /etc/slip.logout has the execute bit set
for after you create it (e.g., "chmod 755 /etc/slip.logout").
5. Routing Considerations
-------------------------
If you are not using the "proxy ARP" method for routing packets
between your SLIP clients and the rest of your network (and perhaps
the Internet), you will probably either have to add static routes to
your closest default router(s) to route your SLIP client subnet via
your SLIP server, or you will probably need to install and configure
gated on your FreeBSD SLIP server so that it will tell your routers
via appropriate routing protocols about your SLIP subnet.
5.1 Static Routes
-----------------
Adding static routes to your nearest default routers can be
troublesome (or impossible, if you don't have authority to do so...).
If you have a multiple-router network in your organization, some
routers, such as Cisco and Proteon, may not only need to be configured
with the static route to the SLIP subnet, but also need to be told
which static routes to tell other routers about, so some expertise and
troubleshooting/tweaking may be necessary to get static-route-based
routing to work...
5.2 Running gated
-----------------
An alternative to the headaches of static routes is to install gated
on your FreeBSD SLIP server and configure it to use the appropriate
routing protocols (RIP/OSPF/BGP/EGP) to tell other routers about your
SLIP subnet. gated is available from ftp.gated.cornell.edu in
/pub/gated; I believe the current version as of this writing is
"gated-R3_5Alpha_8.tar.Z", which should include support for FreeBSD
"out-of-the-box". Compile and install it, and then write a
/etc/gated.conf file to configure your gated; here's a sample, similar
to what I use on my FreeBSD SLIP server:
----- begin sample /etc/gated.conf for gated version 3.5Alpha5 -----
#
# gated configuration file for dc.dsu.edu; for gated version 3.5alpha5
# Only broadcast RIP information for xxx.xxx.yy out the ed Ethernet interface
#
#
# tracing options
#
traceoptions "/var/tmp/gated.output" replace size 100k files 2 general ;
rip yes {
interface sl noripout noripin ;
interface ed ripin ripout version 1 ;
traceoptions route ;
} ;
#
# Turn on a bunch of tracing info for the interface to the kernel:
kernel {
traceoptions remnants request routes info interface ;
} ;
#
# Propagate the route to xxx.xxx.yy out the Ethernet interface via RIP
#
export proto rip interface ed {
proto direct {
xxx.xxx.yy mask 255.255.252.0 metric 1; # SLIP connections
} ;
} ;
#
# Accept routes from RIP via ed Ethernet interfaces
import proto rip interface ed {
all ;
} ;
----- end sample /etc/gated.conf -----
The above sample gated.conf file broadcasts routing information
regarding the SLIP subnet "xxx.xxx.yy" via RIP onto the Ethernet; if
you are using a different Ethernet driver than the "ed" driver, you'll
need to change the references to the "ed" interface appropriately.
This sample file also sets up tracing to /var/tmp/gated.output for
debugging gated; you can certainly turn off the tracing options if
gated works OK for you. I've changed my SLIP subnet's address to
"xxx.xxx.yy" throughout the above file; you'll need to change the
"xxx.xxx.yy"'s into the network address of your own SLIP subnet (be
sure to change the net mask in the "proto direct" clause as well).
Complete gated configuration information may be read through the Web
at "http://www.gated.cornell.edu/".
When you get gated built and installed, and create a configuration
file for it, you'll need to run gated in place of routed on your
FreeBSD system; change the routed/gated startup parameters in
/etc/netstart as appropriate for your system. Please see the manual
page for gated for information on gated's command-line parameters.
6. Acknowledgements
-------------------
Thanks to these people for comments and advice regarding this FAQ:
Wilko Bulte <wilko@yedi.iaf.nl>
Piero Serini <Piero@Strider.Inet.IT>
<<< END OF SLIP SERVER FAQ >>>