|
Sat
15
Oct '05
|
I am finally done with this home router project and ready to replace my current router running FreeBSD on a PC (described here ). As of Oct 15, it has been up:
2:21AM up 447 days, 4:37, 3 users, load averages: 1.02, 1.02, 1.00
The new project aims on similar functionality except the wireless access point. I got a Netgear 802.11g wireless router and use it as an AP. Now it’s time to wrap up everything and give a detailed account of the project.
Hardware:
A Soekris 4511 single board computer. It’s compatible with i386, with a Compact Flash slot, a PCMCIA slot, and a miniPCI slot. It does not have keyboard or display, but can be controlled over a serial console. It has two 10/100Mbps ethernet ports.
Software:
A tailored distro of OpenBSD 3.7 i386.
Project goal:
A router, a NAT server, a firewall, a domain name server (for local LAN and recursive lookups), a DHCP server, a SMTP server, an IMAP server, and a general shell server. It serves as a router to my home LAN and processes lightweight email services including receiving emails, sending emails, providing IMAP service and provide shell access for checking email using PINE.
Approach:
I used flashdist as a starting point and made changes.
- I need read/write the disk since I plan to run a mail server. So I simply mount the filesystem read/write and got rid of the /var link. But I keep /tmp in the memory file system for performance boost.
- I need a name server. So I copied the binaries and configuration files. Configuration files reside in /var/named for chroot purpose.
- I need a mail reader and I settled for mutt for now
- I run postfix for an MTA and courier-imap as a IMAP server
- Since the server doesn’t have a fixed IP address, I registered a dynamic domain name from dyndns.org. I did a little research and end up with choosing inadyn as an updating client, reason being its simplicity and independency.
flashdist uses a file list and copy those files to the distribution. All the dependency libraries are determined by running ldd on the executables. It runs disklabel to create the partition table and install the loader. It also copies some customized configuration files including the starting script. Here is a list of configuration files that differ from a stock installation:
/etc/ttys /etc/boot.conf /etc/fstab /etc/rc /etc/syslog.conf /etc/pf.conf /etc/inadyn.conf /etc/dhcpd.conf /etc/group /etc/myname /etc/dhclient.conf /etc/aliases /etc/aliases.db /etc/master.pwd /etc/postfix/main.cf /etc/sudoer /etc/courier-imap/imapd.cnf /etc/ssl/private/imapd.pem /var/name/
A little explanation on each of these files:
- In ttys, we need to turn off the console and turn on the serial console.
- boot.conf basically sets the speed of the serial console for the bootstrap loader.
- fstab, I guess I don’t need to document this one
- rc is the start script and currently looks like this:
stty status '^T' # Set shell to ignore SIGINT (2), but not children; # shell catches SIGQUIT (3) and returns to single user. trap : 2 trap : 3 HOME=/; export HOME PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH if [ "$1" == "shutdown" ]; then echo soekris 4511: shutting down... echo courier-imap: stopping imapd... /usr/local/libexec/imapd.rc stop echo postfix: stopping mta... /usr/local/sbin/postfix stop exit 0 fi fsck -p echo mfs: mounting /tmp... mount_mfs -s 16384 /dev/wd0b /tmp chmod 1777 /tmp echo mount: mounting /... mount -o rw,noatime /dev/wd0a / # You don't need to make databases, but they help ps and some other # programs ... (skipped kvm for now since /dev/ksyms is a waste of time # on an embedded router) # echo -n "databases:" echo -n " dev" dev_mkdb echo # Init will do this for us, but to be proper we should do it now, before # remote login services start echo -n "securelevel: " sysctl -w kern.securelevel=1 echo -n "watchdog: " sysctl -w kern.watchdog.period=32 echo -n "watchdog: " sysctl -w kern.watchdog.auto=1 ldconfig /usr/lib /usr/local/lib ifconfig lo0 127.0.0.1 netmask 255.0.0.0 # sis0 is the external interface and obtain IP address via dhcp echo starting dhclient... dhclient -q sis0 # sis1 is the internal interface ifconfig sis1 inet 192.168.0.1 netmask 255.255.255.192 echo setting hostname... hostname `cat /etc/myname` echo syslogd: starting log daemon... rm -f /var/named/dev/log rm -f /var/empty/dev/log mkdir -p -m 0555 /var/empty/dev syslogd -a /var/named/dev/log -a /var/empty/dev/log echo pf: starting packet forwarding... sysctl -w net.inet.ip.forwarding=1 pfctl -e -f /etc/pf.conf #do we start pflogd or not? #ifconfig pflog0 up #pflogd -s 256 echo sshd: starting ssh server... /usr/sbin/sshd echo inadyn: starting dyndns update daemon... #inadyn echo dhcpd: starting dhcp server... touch /var/db/dhcpd.leases dhcpd -q sis1 echo named: starting name server... /usr/sbin/named echo postfix: starting mta... if ! cmp -s /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ; then echo updating resolv.conf in postfix chroot space... cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf chown root:wheel /var/spool/postfix/etc/resolv.conf chmod 644 /var/spool/postfix/etc/resolv.conf fi /usr/local/sbin/postfix start echo courier-imap: starting imapd... /usr/local/libexec/imapd.rc start echo ntpd: starting network time daemon... ntpd -s
- syslog.conf controls how the messages are logged.
- pf.conf defines rules for pf. The main objective is to let the internal computers access the Internet freely and protect them from the Internet. Only necessary traffic is allowed in. Here are all the rules. Note that ftp clients behind the firewall do not work in active mode. We need ftp-proxy running on the firewall to enable active mode. I have no intention for now, since most ftp servers support passive mode nowadays anyway.
# macros. ext_if="sis0" int_if="sis1" rd_box = "192.168.0.10" bt_box = "192.168.0.10" bt_ports = "6881:6999" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" tcp_services = "{ 22, 25, 143 }" icmp_types = "echoreq" # options. set block-policy return # normalize all packets. scrub in all # nat on the external interface. nat on $ext_if from $int_if:network to any -> ($ext_if) # redirect certain ports. # Windows Remote Desktop Service. rdr on $ext_if proto tcp from any to any port 3389 -> $rd_box # BitTorrent. rdr on $ext_if proto tcp from any to any port $bt_ports -> $bt_box # default to deny-all policy. block all # loopback interface is OK. pass quick on lo0 all # block rfc 1918 addresses from the public Internet. block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # pass the redirected ports. protect internal machines from tcp syn flood. pass in on $ext_if proto tcp from any to $rd_box port 3389 \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $bt_box port $bt_ports \ flags S/SA synproxy state # allow certain types of icmp. pass in inet proto icmp all icmp-type $icmp_types keep state # allow connections from and to the internal network pass in on $int_if from $int_if:network to any pass out on $int_if from any to $int_if:network # allow outgoing connections pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state - The directory
/var/name/contains necessary configuration files for the name server.
October 28th, 2005 at 1:27 pm
This is cool. I wanted to set an old P233 as such a server but eventually gave up: too noisy and power consuming. This 4511 baby seems to act perfectly for these tasks.
Better take a pic and put it here
October 28th, 2005 at 1:35 pm
and send me a test account….:D never tried a single board computer so far
November 25th, 2005 at 1:25 am
I want to name pcengine’s wrap as an alternative hardware platform for this, because of its price.
You’ll find a review (soekris is mentioned too) right here[1]
[1]http://www.tomsnetworking.com/Reviews-169-ProdID-WRAP1D2.php
polarizers 2cent
http://www.codixx.de/polarizer.html