User talk:ReetP

From SME Server
Revision as of 14:34, 13 September 2021 by ReetP (talk | contribs)
Jump to navigation Jump to search

My talk page (whatever that means)

systemd notes

normally the 49-koozali.preset should work with the db config. so you have nothing to do except:

- having a systemd service unit named with the same key as the db - removing any link in rc7.d

you need to create a /usr/Lib/systemd/system/bandwithd.service.d/50koozali.conf with (the - after ExecStartPre= is not a typo)

[Unit]
After=wan.service
After=networking.service
[Service]
ExecStartPre=-/sbin/e-smith/expand-template /etc/bandwidthd.conf
[Install]
wantedBy=sme-server.target

this file will be owned by smeserver-b... package


TFTP Notes

Menu system

This uses syslinux available from here

http://www.syslinux.org/wiki/index.php?title=Download

I used a fairly old version but cannot remember what it is.

copy pxelinux.0 to /tftpboot

copy vesamenu.c32 to /tftpboot/com32

I have a menu system as follows

in /tftpboot create a directory called pxelinux.cfg

cd /tftpboot/pxelinux.cfg

make a file called default

touch default

Sample default file - add you own submenus

[root@home pxelinux.cfg]# cat default

menu title --== SME Linux, PXE Main Menu ==--
menu background graphics/background.png
menu tabmsgrow 22
menu cmdlinerow 22
menu endrow 24
menu color title                1;34;49    #eea0a0ff #cc333355 std
menu color sel                  7;37;40    #ff000000 #bb9999aa all
menu color border               30;44      #ffffffff #00000000 std
menu color pwdheader            31;47      #eeff1010 #20ffffff std
menu color hotkey               35;40      #90ffff00 #00000000 std
menu color hotsel               35;40      #90000000 #bb9999aa all
menu color timeout_msg          35;40      #90ffffff #00000000 none
menu color timeout              31;47      #eeff1010 #00000000 none 
prompt 0
noescape 1
allowoptions 0
timeout 0 
default com32/vesamenu.c32
label linuxmenu
 menu label ^Linux Boot Disks Menu
 kernel com32/vesamenu.c32
 append pxelinux.cfg/linux_boot_disks

You need to get your distro image and extract the relevant files and put them in /tftpboot/images/distroName

typically this will be

vmlinuz initrd.img

However there could be other names. YMMV.

Now create a file called linux_boot_disks

Here are some samples (need to confirm if they all work):

label Slitaz 4 Std
 menu label SlitaZ ^4
 kernel images/slitaz_4_0/bzImage
 append initrd=images/slitaz_4_0/rootfs4.gz,images/slitaz_4_0/rootfs3.gz,images/slitaz_4_0/rootfs2.gz,images/slitaz_4_0/rootfs1.gz rw root=/dev/null vga=normal autologin
label Clonezilla-live
 MENU LABEL Clonezilla Live (Ramdisk)
 KERNEL images/clonezilla/vmlinuz
 APPEND initrd=images/clonezilla/initrd.img boot=live username=user union=overlay config components quiet noswap edd=on nomodeset nodmraid locales=en_GB.UTF-8 keyboard-layouts=uk keyboard-layouts= ocs_live_run="ocs-live-general" ocs_live_extra_param="" ocs_live_batch=no net.ifnames=0 nosplash noprompt fetch=tftp://192.168.10.1//images/clonezilla/filesystem.squashfs
label SME8 Install
 menu label ^SME8 Install
 kernel images/SME8/vmlinuz
 append initrd=images/SME8/initrd.img
DEFAULT pmagic
# Boot the kernel and initramfs over PXE.
 LABEL pmagic
 LINUX images/pmagic/bzImage
 INITRD images/pmagic/initramfs
 APPEND edd=on vga=normal vmalloc=384MiB


  1. If you install the smeserver-nfs contrib and export a mount you can use something like the following :
label Bitdefender 2
  menu label ^Bitdefender
  kernel images/bitdefender_2/vmlinuz
  append boot=casper netboot=nfs nfsroot=192.168.0.1:/home/e-smith/files/ibays/computer/files/bitdefender_2 initrd=images/bitdefender_2/initrd.gz lang=gb
label Kaspersky 10 - Rescue
 menu label ^Kaspersky 10 - Rescue
 kernel images/kaspersky_10/rescue
 append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/kaspersky_10 initrd=images/kaspersky_10/rescue.igz lang=gb ramdisk_size=1000000
label Fsecure 3.11 - Rescue
 menu label ^Fsecure 3.11 - Rescue
 kernel images/fsecure_311/linux
 append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000

smeserver-openswan notes

smeserver-openswan-0.6

Config settings

For other options see here http://linux.die.net/man/5/ipsec.html

We have a new action

signal-event ipsec-update

This will process the required templates and create some files. When a ipsec and a connection is enabled it will open the relevant ports on the firewall It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

These settings are generic and can be overwritten on a per connection basis

config ipsec show

Only set with db configuration setprop ipsec $key $property

Setting status enabled/disabled will modify access to private/public

status: Default disabled | enabled access: Default private | public UDPPort: Default 500 | Variable auto: Default start | add (do not use ondemand or ignore) debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private (all generates a large amount of logging so use with care)

Overall settings - can be in main config db or in ipsec_connections as per connection

ikelifetime: Default 3600s | Variable salifetime: Default 28800s | Variable dpdaction: Default restart | Variable dpddelay: Default 30 | Variable dpdtimeout: Default 10 | Variable pfs: Default yes | Variable connectiontype: Default secret | rassig, certificate ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options


Per connection only settings

Automatically modified - do not change this PreviousState: Denotes previous connection state

Manual keys

db ipsec_connections show

db ipsec_connections setprop ConnectionName $key $property

iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts connectiontype: Default tunnel | transport/passthrough/drop/reject leftrsasig: Default Empty | Your Local rsasignature key rightrsasig: Default Empty | Your Remote rsasignature key ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed phase2: aes-sha1 | Various mtu: Default Empty | Various left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP leftid: Default Empty | Variable leftsourceip: Default Empty | This server local IP leftsubnet: Default Empty | This server local subnet right: Default Empty | Destination WAN IP rightid: Default Empty | Variable rightsubnet: Default Empty | Destination subnet passwd| Default Empty | Variable keyingtries| Default Empty | 0 is default - 'forever'

  1. Future
  2. certname: Default Empty | Your certificate name
  3. leftcert
  4. rightca: Default %same


      • For a basic connection you need this as a bare minimum ***

config setprop ipsec status enabled access public

Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop

Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd

Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd

Bare minimum config for ipsec with static hosts (ike is automatically added)

MyConnection=ipsec

   ike=aes-sha1
   leftsourceip=192.168.50.1
   leftsubnet=192.168.50.0/24
   passwd=SomeLongAndComplicatedPassword
   right=1.2.3.4
   rightsubnet=192.68.60.0/24
   status=enabled


signal-event ipsec-update

Check /var/log/pluto/pluto.log ipsec whack --status ipsec verify (may be some warnings - severity depends on what they are)


      • For a rsasig connection ***

Please see the section on generating rsa Signatures.

The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.

ipsec initnss

ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets

When you copy the key it MUST be in one long line.

Remember

East leftrsasig=PUBLIC key of East rightrsasig=PUBLIC key of West

West leftrsasig=PUBLIC key of West rightrsasig=PUBLIC key of East


You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.

Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest

Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast


      • For a rsasig connection with dynamic IP ***

This will set your local 'left' rsasig

db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`

Then Extract the public key for the far end. When you copy the key it MUST be in one long line.

cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'

East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East

Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security

We set the static server to: auto 'add' so it only listens for incoming connections dpdaction 'clear' so the route is cleared if the connection is dropped iptype stattodyn - sets right = %any (allow all hosts to

We set the dynamic server to: auto 'start' so it immediately attempts to connect iptype dyntostat

Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest

Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast

smeserver-libreswan notes

smeserver-libreswan-0.5

Config settings

For other options see here https://libreswan.org/man/ipsec.conf.5.html

We have a new action

signal-event ipsec-update

This will process the required templates and create some files. When a ipsec and a connection is enabled it will open the relevant ports on the firewall It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

These settings are generic and can be overwritten on a per connection basis

config ipsec show

Only set with db configuration setprop ipsec $key $property

Setting status enabled/disabled will modify access to private/public

status: Default disabled | enabled access: Default private | public UDPPort: Default 500 | Variable auto: Default start | add (do not use ondemand or ignore) debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private (all generates a large amount of logging so use with care)

Overall settings - can be in main config db or in ipsec_connections as per connection

ikelifetime: Default 3600s | Variable salifetime: Default 28800s | Variable dpdaction: Default restart | Variable dpddelay: Default 30 | Variable dpdtimeout: Default 10 | Variable pfs: Default yes | Variable connectiontype: Default secret | rassig, certificate ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options


Per connection only settings

Automatically modified - do not change this PreviousState: Denotes previous connection state

Manual keys

db ipsec_connections show

db ipsec_connections setprop ConnectionName $key $property

iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts connectiontype: Default tunnel | transport/passthrough/drop/reject leftrsasig: Default Empty | Your Local rsasignature key rightrsasig: Default Empty | Your Remote rsasignature key ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed phase2: aes-sha1 | Various mtu: Default Empty | Various left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP leftid: Default Empty | Variable leftsourceip: Default Empty | This server local IP leftsubnet: Default Empty | This server local subnet right: Default Empty | Destination WAN IP rightid: Default Empty | Variable rightsubnet: Default Empty | Destination subnet passwd| Default Empty | Variable keyingtries| Default Empty | 0 is default - 'forever'

  1. Future
  2. certname: Default Empty | Your certificate name
  3. leftcert
  4. rightca: Default %same


      • For a basic connection you need this as a bare minimum ***

config setprop ipsec status enabled access public

Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop

Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd

Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd

Bare minimum config for ipsec with static hosts (ike is automatically added)

MyConnection=ipsec

   ike=aes-sha1
   leftsourceip=192.168.50.1
   leftsubnet=192.168.50.0/24
   passwd=SomeLongAndComplicatedPassword
   right=1.2.3.4
   rightsubnet=192.68.60.0/24
   status=enabled


signal-event ipsec-update

Check /var/log/pluto/pluto.log ipsec whack --status ipsec verify (may be some warnings - severity depends on what they are)


      • For a rsasig connection ***

Please see the section on generating rsa Signatures.

The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.

ipsec initnss

ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets

When you copy the key it MUST be in one long line.

Remember

East leftrsasig=PUBLIC key of East rightrsasig=PUBLIC key of West

West leftrsasig=PUBLIC key of West rightrsasig=PUBLIC key of East


You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.

Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest

Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast


      • For a rsasig connection with dynamic IP ***

This will set your local 'left' rsasig

db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`

Then Extract the public key for the far end. When you copy the key it MUST be in one long line.

cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'

East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East

Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security

We set the static server to: auto 'add' so it only listens for incoming connections dpdaction 'clear' so the route is cleared if the connection is dropped iptype stattodyn - sets right = %any (allow all hosts to

We set the dynamic server to: auto 'start' so it immediately attempts to connect iptype dyntostat

Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest

Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast