Originally Published: Thursday, 27 September 2001 Author: IRC Staff
Published to: interact_articles_irc_recap/IRC Recap Page: 1/1 - [Std View]

Beginners Week: A Recap

Now that Beginners' Week is winding down on Linux.com, it's time to do a quick recap of all of the Live! events we had. Here are the logs from our three events: Installing RedHat 7.1, Setting Up a Home Network, and Configuring a Firewall.

All IRC Live! events are moderated. This means that audience members message their questions to the moderator and the moderator asks questions in the channel, so any question that comes from 'lcModerator' is a question from an audience member. Thanks and enjoy the log.

Matt Michie, one of our staff members, walked our audience through a basic install of RedHat 7.1 in this log. There were many interesting questions raised througout the event that make for an interesting read when you want to install RedHat 7.1.

<influx> hey all
<influx> we'll be starting the red hat 7.1 install tutorial shortly
--- ChanServ gives channel operator status to starlady
<starlady> we're going to be starting in just a couple of minutes
--- ChanServ gives channel operator status to lcModerator
<seva> r] by ChanServ
--- ChanServ gives channel operator status to Dazman
<seva> er
--- ChanServ removes channel operator status from Dazman
<influx> hey all
<influx> i'm influx aka matt michie, and i'll be working through the install of redhat 7.1
--- influx sets mode +m #live
<influx> as i go, if you have questions please /msg them to lcmoderator and he'll que them up and post them for all of us
<influx> i'll be installing x86, redhat 7.1 from CD-ROM... i'll try to do it as generic as possible so it should apply to a wide variety of hardware/configurations
<influx> there are many good sources to obatin a redhat install including local retail outlets, cheapbytes.com and even just downloading and burning .iso's from ftp sites
<influx> redhat 7.1 includes some new install improvements such as partitionless installs, auto-partitioning, and security features... i'll try to touch on all of them
<LinuxWolf> If you miss anything there will be a log of this tutorial on http://www.linux.com/live in the coming days
--- starlady removes channel operator status from starlady
<influx> first, its a good idea to be aware of what hardware you have on your system... if you already have windows, check out the system tab in your control panel and write down some of the information
<influx> redhat 7.1 should mostly auto-detect these settings, but its always a good idea to have backups
<influx> you'll need at least a 386 and 1.5 gigs of free hard drive space for a default install... i recommend much higher than a 386 though :)
<influx> first, to install insert the first compact disc into your drive tray and reboot your system, i'll assume that your system supports booting from the cd-rom
<influx> if it does not, there are boot floppy images available for use
<influx> tallguy also told me to mention that you'll need at least 16 megs of ram for an install
<influx> preferably more for the GUI install
<LinuxWolf> use rawrite to make a floppy with the cd.img file on it
<influx> the kernel itself will not run on less than 4mb
<influx> after you've booted, you'll be presented with a text menu
<influx> for most users you can simply hit return for the install to load
<influx> it will attempt to load a GUI install, and if that fails will move into text mode
<influx> you'll see the install kernel booting as the text scrolls
<influx> it will then load anaconda which is the redhat install program
<influx> a cool feature with the redhat install is that there are different terminals which give expert users a chance to control things a bit better
<influx> you can scroll through these by pressing ctrl-alt-f1 through ctrl-alt-f7
<influx> particularly useful is the f2 vt which has a shell prompt
<influx> or f3 which has the install log
<influx> to get back to the gui hit the f7 terminal
<influx> continuning...
<LinuxWolf> for those with keyboards that have to Cntrl keys use the left Cntrlkey
<influx> the first choice you'll need to make is language selection
<influx> i'll choose english and hit next to continue, obviously choose the language you speak the best ;)
<influx> next, is keyboard configuration... most users can simply choose the default and hit next
<influx> if you have something special, scroll through the choices and select your keyboard
<influx> the gui has a test area so you can make sure it works
<influx> the next option for the gui is mouse selection
<influx> with the new 2.4 kernels, even USB mice are supported... choose your brand of mouse and hit continue
--- ChanServ gives channel operator status to dlewis
<influx> its a good idea to emulate 3 buttons if you have a two button mouse
<influx> X makes use of the third button for pasting
<influx> continue until you get to the install options screen
<influx> here you are presented with a choice between a workstation, server, laptop, or custom install... here is also where you would upgrade from a previous install of redhat
<influx> install a server only if you intend to use the system as a dedicated server... otherwise just choose workstation or laptop if it is a laptop
<influx> if you are familiar with some of the previous redhat installs, you'll be glad to know that there is much improved default security
<LinuxWolf> Custom is also a good choice if your familiar with what services do what
<influx> if you choose workstation you won't even have inetd installed by default :)
<influx> next, we come to partitioning, one of the trip ups even veteran linux users stumble across
<LinuxWolf> a big missconception is a person turns on ftp as they think they need it. Unless youintend to offer your computer as a FTP-Server you dont need that service running
<influx> 7.1 will do automatic partitioning if you have 1.5 gigs free space on your hard drive
<influx> it is also possible to do a partitionless install with the linux system installed on FAT
<influx> this is good for testing out linux, but will seriously degrade performance
<influx> if you can not do automatic partitioning, disk druid does a pretty good job of things
<influx> i wouldn't recommend mucking with fdisk unless you are very familiar with how partitions work
<influx> i'll walk through a quick disk druid setup
<influx> we generally need at least two partitions
<influx> root or / and a swap partition
<influx> there are many rules of thumb on how big of a swap partition you need, but some would say 2 * amount of installed RAM
<lcModerator> Question: Does RedHat' Parition Software allow you to shrink an existing windows partition?
<influx> no, it won't but there are commercial and other free alternatives which do so
<influx> partition magic is a good commercial alternative
<influx> parted is the best free (free speech and free ber) way to do it
<influx> sometimes you'll also need to create a boot partition
<influx> the maximum you need is 32 megabytes for /boot
<influx> and like i said earlier i recommend at least 1.5 gigs for /
<influx> once you've allocated the partitions, click next and the installer will prompt you on formatting them to linux native file system
<influx> starlady informs me, that the url for parted is: http://www.gnu.org/software/parted/
<influx> and we also have information on how to use it on our linux.com debian install guide at: http://linux.com/learn/installguide/debian/
<influx> i generally don't check for bad blocks while formatting... i'd only select this if you have an older drive you suspect may have some bad clusters
<influx> it will slow things down dramatically
<influx> choose next and allow the file systems to format
<influx> the next screen is LILO configuration
<influx> LILO is a boot manager allow you to select different operating systems at boot
<influx> you can choose between windows and linux for instance... later once you are more advanced you can configure it to select different kernels at boot time
<influx> most of the time you can leave the defaults selected on this screen and it will do the "right thing"
<influx> hit next to continue
<influx> if you have a network card, you'll be presented with network configuration
<lcModerator> Question: Should you install lilo to the MBR or to the boot partition?
<influx> i generally install to the master boot record
<influx> this will work on most installs, apparently some OS's such as NT do not like lilo on the MBR and in these cases you'll do the boot partition
<influx> on network configuration, you'll get these settings from your network admin
<lcModerator> Question: Do you need to install Linux before or After an Install of windows for dual boot?
<influx> i was just informed by ninjaz_ that indeed NT will work with lilo on the MBR and it will also handle large disks
<influx> its easier to install linux after windows
<LinuxWolf> Nt's bootloader can also be configured to add linux to it's options IIRC
<influx> if you reverse the order, windows will overwrite the mbr, ruining your dual boot... you can fix this, but its simpler to install windows first :)
<influx> any other questions on partitioning/lilo ?
<LinuxWolf> I have one
<influx> shoot :)
<LinuxWolf> some say swap= 2.5 times physical ram
<LinuxWolf> if on a machine with say 512mb of ram is this needed
<influx> for most cases, no
<influx> for a workstation you'll almost never need more than 512 MB of swap
<influx> in fact older linux kernels only supported a maximum of 128MB
<LinuxWolf> so should a user make the partion = to ram or 128mb
<influx> okay, in the networking, linux also supports DHCP, which will grab your settings automagically from the network if there is a DHCP server running
<influx> LinuxWolf: if i had 512MB, i'd probably go with a 128MB swap
<influx> you can always tune it later, or even just add a swap file
<influx> tallguy_ suggests that any kernel before 2.4.9, which the default 7.1 kernel is should have 2*RAM
<influx> as it will be needed
<influx> 2.4.10 has changes in the VM which deal with SWAP better :)
<influx> there are few hard and fast rules on the size of swap :)
<influx> as you are running, you can use the free command or top to see how much swap is being used
<influx> you'll be able to tell better from the workloads you see on your own system
<influx> once you've completed networking setup, the next step is firewall configuration
<influx> this is new for 7.1 and is a welcome improvement
<influx> its not a bad idea to just go with the default firewall rules and high security
<influx> especially with a workstation install, you've got a pretty good chance of remaining secure by default than previous redhats
<influx> as always, you'll still need to keep up to date with patches and security advisories
<influx> having a firewall doesn't mean you are completely invunerable, its just another layer of protection
<influx> once selected, hit next
<influx> here you can choose your timezone on a pretty little world
<LinuxWolf> especially important with usrs that have on-demand access like cable or dsl connection
<influx> exactly right
<influx> once you have your time zone, hit next
<influx> next is language support, if you only have one language you can just leave the default and hit next
<influx> here we come to account configuration
<LinuxWolf> sub-note
<LinuxWolf> choosing language also effects the way your computer uses language also. as in Brits use metric and most of the world. if you choose US then you would use F for tempature and so on
<influx> you'll be asked to set a root password and create at least one user account
<LinuxWolf> so your choice is important in more ways then 1
<influx> remember for root password, you should have a password length of at least six, with mixed caps, and numerals
<influx> a bad password would be: password, root, your name, birthday, social, spouses name, any word in the dictionary
<influx> a good password would be: jieufJ8
<influx> preferably even some special characters thrown in as well
<influx> also create a user account with a _different_ password from root
<influx> you should always use your user account only using the su command to switch to root for system level configurations
<influx> once you've added your accounts hit next
<influx> the next screen allows you to setup authentication... most users can leave on MD5 and shadow passwords ignorning the rest
<influx> NIS, LDAP, and Kerberos settings will be given to you by a network admin if you require them
<influx> MD5 and shadow passwords are an extra layer of security, leave them on if possible :)
<LinuxWolf> MD5 so you know is the replacement to yellow page
<influx> err NIS is the replacement to YP :)
<LinuxWolf> sorry NIS :)
<influx> md5 just allows 256 chars in the password field instead of 8 :)
<influx> okay
<influx> the next screen allows some basic package selection
<influx> most users can just use the defaults
<influx> note that GNOME and KDE are desktop environments
<influx> they include all kinds of nifty GUI programs, similar to a windows or mac system
<influx> you can install both and choose which one you prefer
<influx> hit next and we are in X config
<influx> X is the graphical system which handles the underlying GUI
<influx> red hat 7.1 does a great job of probing your video card
<influx> you can probably leave the default
<influx> otherwise select your card from the list
<influx> most modern monitors will also be autodetected
<influx> simply hit next or select your model
<influx> a note for video cards:
<influx> some of the newer NVIDIA and 3dfx don't include default support in linux
<influx> this isn't a flaw of linux, but the fact that some of these companies haven't released their specs or have only closed source drivers
<influx> nvidia for example does have drivers available for download, including opengl support
<influx> just be aware that they are closed source
<influx> its a good idea to check websites and newsgroups for which cards are best supported by which companies and buy from them :)
<influx> at this point, redhat is ready to install
<influx> it'll put the packages onto the hard drive
<influx> you may be prompted for the second CD-ROM
<influx> once they complete, you should have a working system, remove the cd, and reboot :)
<influx> any questions? :)
<influx> please note
<influx> that Red Hat Linux should be referred to with this capitalization and spacing :)
<LinuxWolf> <inshuru> asks do you need both cd's to do an install
<influx> the company is Red Hat and is traded by the symbol rhat on nasdaq
<influx> for most installs you do need both
<influx> if possible support Red Hat by buying their retail product
<influx> they also have support available
<LinuxWolf> gotta lovesupport
<LinuxWolf> :)
--- influx sets mode -m #live
<Spec> eLLo
<influx> i'll open the channel up for discussion/comments/questions
<spot> support is indeed, your friend. :)
<LinuxWolf> also a lot of computer manufactuers are now offering to ship your computer with either windows 2000 or Linux
<Dazman> it's spot
<Dazman> :)
<LinuxWolf> so the support of IBM, Dell, and HP is welcome also
--- ChanServ gives channel operator status to Dazman
--- Dazman removes channel operator status from Dazman
<LinuxWolf> as alloffer to ship your computer with Linux installed for you if you request it
* spot adds that if anyone has Red Hat Linux specific issues, feel free to drop by #redhat on this same network
<Spec>
<Spec>
<Spec> ops, sorry
--- Wintersun_afk is now known as Wintersun
<Hawkboy2k> you mentioned that 2.4.9 is the default but 2.4.10 has better VM...
<Hawkboy2k> As a newbie, should I venture into updating my kernel just for this?
<influx> actually i think 2.4.2 is the default
<spot> in Red Hat 7.1? 2.4.2 is the default.
<influx> upgrading the kernel can be kinda tricky at first, 2.4.2 is pretty good for general use
<Hawkboy2k> Okay. Plenty of RAM here anyway... :-)
<influx> yeah RAM is cheap these days :)
<LinuxWolf> a small note though dont try save yourold config of the kernel and import it into Xconfig
<LinuxWolf> you cant use the kernel source tar ball and use a rpm based kernel as the config
<Hawkboy2k> Opinions on purchasing the Red Hat Deluxe Workstation Package? Easier to get basic and then just get the apps I need?
<LinuxWolf> it will bork on you as redhat and mandrake both path their kernels to death
<LinuxWolf> path/patch
<Hawkboy2k> Good to know.
<LinuxWolf> Hawkboy2k: your welcome I just thought I save you the trouble a guesthad for days on end is all
--- Wintersun has changed the topic to: Thanks for joining #live! The log from today's even will be posted in the next couple of days | Please join us on Wednesday at 6pmPDT for "Configuring a Firewall with Linux"
<LinuxWolf> wasnot his fault at all
--- Wintersun has changed the topic to: Thanks for joining #live! The log from today's event will be posted in the next couple of days | Please join us on Wednesday at 6pmPDT for "Configuring a Firewall with Linux"
<LinuxWolf> he was attempting to use a rpm based kernel as the config while trying to upgrade the kernel from source. it wont work
<LinuxWolf> I cant say that enough, PLEASE learn how to build a kernel from source, and not rely on rpms
<LinuxWolf> takesa few trys but onece ya can do it, its a breeze
<influx> yeah, just make everything as possible a module so kudzu can autodetect it
<influx> seems to work pretty well
<TallGuy_> linuxwolf: With the ac patches you can have both. make rpm is a handy build target... :)
<LinuxWolf> I prefere use source
<LinuxWolf> but of course is choice
<influx> btw, anyone know if there are ext3 patches for 2.4.10?
<TallGuy_> linuxwolf: You can do both. Build it by hand, then make an rpm for easy installation :)
influx info 22:01:42 <xeno42> influx: you don't want 2.4.10
<LinuxWolf> TallGuy_: that to me makes no sence really. as no 2 computers are identicall unless, you had a office and all machines are the same
<TallGuy_> influx: Haven't seen one yet, nor an ac patch
<TallGuy_> linuxwolf : It makes sense when wanting to retain a complete rpm database (which I do prefer for security reasons)
<influx> guess i'll stick with 2.4.9 for awhile then :)
<xeno42> influx: probably best off running 2.4.9acFoo
<xeno42> influx: but if you're feeling suicidal: http://www.uow.edu.au/~andrewm/linux/ext3/
<xeno42> ;-)
<TallGuy_> influx: Oh, and btw, up2date is a great way to update a 6.2 box to 7.1 :)
<influx> wow didn't know that was possible :)
<TallGuy_> influx: Doing that now on my alpha... *grin**
<Ghop> Has the tutorial officially ended?
<influx> Ghop: yeah
<Ghop> Great, thanks, most informative!!
<LinuxWolf> Ghop: yes it has but you can ask ?'s and if someone knows will try answer
<TallGuy_> influx: VersionOverride=7.1 ; /usr/sbin/up2date -u ; if necessary resolve some dependencies by hand. :)
<influx> sweeeet
<TallGuy_> influx: It's a great way to do small incrementals (7.0 - 7.1 works flawlessly), and is doable for major upgrades. :)
<TallGuy_> influx: You just need enough room in /var/spool/up2date :)
<influx> TallGuy_: good deal, thats a good tip
<TallGuy_> influx: That's what I thought when I thought of it... :)
<Ghop> I need to play for a while, is this forum usually available for Q&A?
<TallGuy_> influx: Only try this with high bandwith though... No modems apply... :)
<influx> Ghop: we are here for events, but #linuxhelp is 24/7
<LinuxWolf> Ghop: no just live events i suggest #linuxhelp for general questions
<Ghop> Excellent, later...
<influx> Ghop: thanks for coming by :
<LinuxWolf> be well
<LinuxWolf> hope the event helped you
<wem> yes, thanks and see you wed for firewall event
--- Wintersun is now known as Wintersun_afk
<Hawkboy2k> Thanks to all for the tutorial!

All IRC Live! events are moderated. This means that audience members message their questions to the moderator and the moderator asks questions in the channel, so any question that comes from 'lcModerator' is a question from an audience member. Thanks and enjoy the log.

Brian Richardson, one of our Linux.com contributors, talked about some of the basics of setting up your own network in your home. Although gritty details weren't covered, he made sure to reference elsewhere for some of the more detailed information needed.

<brianr007> Ladies & Gentelmen
<brianr007> and Windows users
<will`> Wee! :)
<brianr007> Welcome to Linux.com Live!
--- starlady sets mode +m
<brianr007> Tonight is a basic introduction to Linux networking
<brianr007> But first, a few ground rules
<brianr007> (1) No talking out of turn. I (brianr007) am the host. Many others will be called upon as experts.
brianr007 brainless_away
<brianr007> but, all questions should be messaged to lcmoderator
<starlady> brianr007 puts the smack down
<brianr007> he will pass them into the channel
<brianr007> "Can you smell what brianr007" is cooking?
* brianr007 digresses
<brianr007> (2) This broadcast cannot be retransmitted without the expressed & written permission of Major League Baseball
<brianr007> (3) Transcripts will be available at linux.com by the end of this week
<brianr007> (4) Offer void in Georgia. 6% sales tax applicable.
<brianr007> (5) Any questions not answered here may come up in another fourm, such as the upcoming Linux.com Live! event about firewalls
<brianr007> (check your local listings)
brianr007 brainless_away
<starlady> brianr007: can you hang on a sec
<brianr007> (6) brianr007 is a bad typist, so go easy
* brianr007 waits
<starlady> brianr007: we're getting that announcement made so we may have more people
<brianr007> ok
* brianr007 hums
* brianr007 idle for 18 seconds
<starlady> :P
<starlady> it's coming
<lcmoderator> <will`> Can we hear a bit about who Brian is? :)
<brianr007> so, two penguins waddle into a bar ...
<brianr007> sorry
<lcmoderator> <Saltbread> is it ok if we laugh because brianr007 is really funny ??
<starlady> Saltbread: go ahead, he's this funny in real life too :)
<starlady> brianr007: obviously, said announcement has gone out, so proceed at your leisure :) and thanks for holding
<brianr007> it's a bit crowded in here ...
<starlady> yeah, and someone's taking a shower, what's up with that
<starlady> this is a family channel ;P
<brianr007> anybody else ...
<brianr007> Bueller ...
<brianr007> Bueller ...
<brianr007> ok
<brianr007> let's try this again ...
<brianr007> I (brianr007) will be the host for tonight's Linux.com Live! event
<brianr007> Tonight's topic is basic Linux networking
<brianr007> First, basic rules (again, for those joining late)
<brianr007> All questions should be messaged to lcmoderator
<brianr007> No talking out of turn
<brianr007> Several in the audience are plants, and will be called upon as "experts" during the show
<brianr007> (do not be alarmed, they know who they are)
<brianr007> A transcript/summary of this event will be posted on linux.com later in the week
<brianr007> Several networking topics will not be covered in this event ...
<brianr007> but will be in future Live events of Linux.com articles
<brianr007> For example ... an upcoming session on firewalls (very nice)
<brianr007> Plus ...
<brianr007> past articles on SAMBA & general networking can be found in the Linux.com archives
<brianr007> Now for introductions of the main players ...
<brianr007> I (brianr007), in real life, am Brian Richardson
<brianr007> Former Program Manager of Linux.com Hardware
<brianr007> Author of n+1 hardware articles, plus many Tux Noir articles
<brianr007> I am representing the nuts+bolts aspect of this session
<brianr007> Plus playing Dennis Miller to my Al Michaels ... xeno42 (linux.com web dude)
<brianr007> (he's British, don't be alarmed)
<brianr007> lcmoderator's identity was changed to protect the innocent ... just send him the questions
* brianr007 waits for it all to sink in
* lcmoderator curtseys
<brianr007> ok, are we ready to partyyyyyyyyyy ...
<brianr007> oops, wrong show
<brianr007> Ready kids?
* brianr007 takes silence as acknowledgement
<brianr007> First, let's talk about basic configuration ... hardware
<brianr007> Many users will have a network device in the system when installing Linux for the first time
<brianr007> This makes things a lot easier in the long run ...
<brianr007> since many distributions will not install ANY network support if no network device is present at install
--- #live :The hand of the deity is upon you, thy nick may not change
* starlady is away: dinner
<brianr007> So before installing a distribution, check their hardware compatability database (or support page) to make sure you're card is covered
<brianr007> Many problems are solved by this simple task
<brianr007> If you don't have a card already picked out for the system, I have a few preferences ...
<brianr007> Intel PRO/100 (aka EtherExpress, ee100)
<brianr007> Linksys 100TX
<brianr007> Both available most anywhere parts are sold
<brianr007> There are dozens of cards supported by Linux, but make sure it's on the list
<lcmoderator> <will`> How well are wireless lan cards supported?
<lcmoderator> <will`> And WLAN in general
<brianr007> One point of confusion ... the card's brand name isn't always listed as supported,
<brianr007> but the chip on the card will be
<brianr007> will`: that's a great question ... xeno42 has more experience with that than I
<brianr007> xeno?
<xeno42> wlan is supported pretty well
<xeno42> most cards are supported afaik
<xeno42> there are whole websites devoted to the topic
<xeno42> we did a live event about it from Linuxworld last month in fact
<brianr007> one thing to note ... many current distributions won't detect these cards at install time
<brianr007> but they're added to the configuration pretty easily
<lcmoderator> <Kingsqueak> little information on performance specs of ethernet chipsets specific to linux is available, can you ask brian to justify a bit as to why those chipsets are his preference?
<brianr007> Kingsqueak: sure
<brianr007> the performance is part of the issue, but it really comesdown to stability and ease of support
<brianr007> Many "generic" cards won't run as fast because the chips don't support full-duplex
<brianr007> (send & transmit at the same time)
<lcmoderator> <Saltbread> hmm...when Xeno is finished, could you tell Brian that I think that the module name for the Intel card he spoke of might not be ee100...not 100% sure though....could be wrong...
<brianr007> or use really bad components
<brianr007> but with Linux ... especially before the 2.4 kernel ...
<brianr007> drivers were the real problem
<brianr007> The Intel card is pretty universal now, so the support is there in the kernel & driver set
<xeno42> Intel driver is eepro100 typically; very common
<brianr007> The Linksys card is based on the DEC Tulip chipset ...
<brianr007> and that's one of the best drivers (IMHO) in the Linux world
<brianr007> it's fairly old (aka proven)
<brianr007> right ... eepro100 is the Intel module name (thanks)
<brianr007> With a lot of new distros (Mandrake 8.0, RedHat 7.x, SuSe 7.x, ...), the installer is very intelligent
<brianr007> and will detect network cards easily
<brianr007> especially if they're PCI-based cards
<brianr007> sidenote ... stick with PCI on newer systems (fewer headaches)
<brianr007> anyway ... assuming the card is detected, and your network cable is hooked up to something useful
<brianr007> the hardware is done
<brianr007> (unless you want to change hardware later ... we'll keep that topic for later)
<brianr007> now linux has to be configured to find the rest of the network ... the internet & all that
<brianr007> xeno ... you want to take this topic for a minute?
<xeno42> i think you're doing fine ;-)
<brianr007> well, up till this point ... you might be better at all the settings & such
<brianr007> (I cheat & use linuxconf a lot :) )
<lcmoderator> <will`> Cross platform networking: what problems could occur networking a Linux box to a Windows one?
<brianr007> will`: that's kinda a SAMBA question ... we'll touch on that later
<xeno42> Okay
<xeno42> well, with your network card detected, your distribution install program is likely to ask you a few questions to configure your new network card
<xeno42> those will include: IP address, DNS addresses and gateway address.
<xeno42> If you're on a larger network, you may be able to make use of DHCP, if such a server is available
<xeno42> if you can use that then getting yourself online suddenly becomes very easy as your Linux machine can just ask the DHCP server for the right settings automatically. However, if you're setting this up at home, chances are that isn't an option
<brianr007> DHCP == Dynamic Host Configuration Protocol (hands your PC an IP address)
<xeno42> The IP address you use will depend on what sort of network you're joining. If you're on a 'real' network, the network administrator will give you an IP address.. If you're connecting to the Internet via a cable modem connected to your network card then you will want to use an IP address specified by your isp
<xeno42> and that's part of a larger issue, which we've covered on linux.com
<xeno42> but for now, we'll assume you're setting up a little network, isolated from the rest of the world
<xeno42> so you'll need to pick an address to use.. - You shouldn't pick just any address though
--- Notify: shaleh is offline (sagan.openprojects.net).
<xeno42> there are ranges of IP addresses reserved for 'private' (non Internet) use.
<xeno42> For our example here we can choose 192.168.1.1 as our machine's address, with a netmask of 255.255.255.0
<xeno42> if we added another machine to the network, it could have 192.168.1.2
<xeno42> as we're isolated from the world, we can leave the gateway blank - but if you have a router on the network, you'd specify it's IP address here
<brianr007> to add some definitions ...
<brianr007> "gateway" defines the IP of the machine that allows you to get to the Internet
<brianr007> if you're using a router to get onto the Internet (like one of those Linksys boxes),
<brianr007> then it would be that device/machine
<lcmoderator> <will`> Protocols?
<brianr007> Those are the basic bits of information you'll have to provide during installation
<brianr007> Procotol ... Linux, by default, does everything using TCP/IP (basic Internet protocol)
<brianr007> There are kernel options to support other more obscure protocols, but those are mostly for older systems (like AppleTalk)
<brianr007> In general, TCP/IP for everything
<brianr007> Which makes it easier to talk to other PCs
<brianr007> With Windows, you'll need extra software to have see the "Windows Network Neighborhood" (sp?)
<lcmoderator> <will`> How would internet connection sharing work?
<brianr007> That's called SAMBA ... it implements the SMB protocol on top of TCP/IP
<brianr007> will`: sit down, young man ... I'm getting to it
* brianr007 can;t type that fast
<brianr007> anyway ... SAMBA is another session, because it's not really "basic" networking
<brianr007> with Windows, it's the built-in way that computers share information
<brianr007> with Linux, since it's designed to be more flexible, there's no real "assumed" default
<brianr007> many other standards, like NFS, can be used (depending on what you're trying to share data with)
<brianr007> Anyway ... connection sharing ...
<brianr007> There's two setups here ...
<brianr007> (1) The Linux machine is going to use a shared connection (like a Linksys router)
<brianr007> (2) The Linux machine will provide the shared connection to other PCs on the network
<brianr007> The second setup will be covered some in the Linux.com Live! event on firewalls (tomorrow at 8PM EDT, I think)
<brianr007> A lot of Linux-based "firewalls" are really acting as both firewall and router
<brianr007> firewall == a network packet filter, designed to keep undesired traffic off your network
<brianr007> (these keep nasty script kiddies with too much time on their hands out of your precious MP3 collection)
<brianr007> router == used to define a network device that moves packets from one network segment to another ...
<brianr007> in this case from your "private" network to the public Internet
<brianr007> the router does the real "sharing" work
--- starlady gives voice to ElectricElf
<ElectricElf> Oh, thank you starlady :)
<brianr007> Linux handles through "IP masquerading" ... making one IP from an Internet provider provide a connection to many PCs
<brianr007> I yield to ElectricElf at the request of the lady ...
<ElectricElf> Hehehe :) What was the question?
<starlady> nah, he's just here to hang out
<starlady> :)
<brianr007> nutz ... don;t do that
<starlady> :P
<ElectricElf> starlady: Yeah :)
<starlady> if I interrupt you'll know it
<starlady> something like: shut up and let the man speak
* starlady runs like heck
* brianr007 throws cat out of his fish dinner and goes on
<starlady> *grin*]
<brianr007> anyway ...
<brianr007> In setup 1 (Linux using a shared connection) ...
<brianr007> Linux doesn;t care from where the packets come
<brianr007> Just make sure the Linux machine is configured to use an IP address that matches the scheme of the sharing system (tends to be 192.168.xxx.xxx)
<brianr007> and lists the proper gateway address (in many cases, 192.168.0.1 or 192.168.1.1)
<brianr007> oh ... almost forgot ...
* starlady is back (gone 00:37:55)
<brianr007> you need to also specify the Domain Name Server (DNS) the network uses
<brianr007> DNS == turns sitenames into IP addresses (it's a HUGE looktable)
<brianr007> er, lookup table
<lcmoderator> <m0rt> But how would you set it up if your DSL provider gave you a unique IP address for every machine on your network?
<brianr007> m0rt: that's a different setup than connection sharing ...
<brianr007> because you're not really sharing the connection
<brianr007> in that case, the DSL provider will hand you some static IP addresses
<brianr007> and you set each PC up with its own address
<brianr007> (some may also provide a nice router at your site, but that's only in expensive business configurations)
<lcmoderator> <drnoah> it's worth pointing out, you can have a mix of several public IPs, and several internal ones (as I do)
<lcmoderator> <Kingsqueak> in the case of several live ip's you would be best served to configure a bridge device firewall with no ip addresses on its interfaces, this would be placed 'in-front' of the switch where all the clients are connected
<brianr007> "connection sharing" really means "how can I get everybody on-line without paying the phone company too much money" :)
<brianr007> drnoah: right. I've done that before as well ...
<brianr007> anyway ... this is supposed to be basic networking ...
<brianr007> so now I summon the mighty xeno42 to help users find out how to change these parameters when Linux is up and running
<xeno42> heh
<brianr007> xeno42: can you give a quick rundown of changing parameters?
<xeno42> well now, that's very much going to depend on which distribution you're using
<brianr007> well, that's true
<xeno42> If you're running RedHat then you'll probably want to use linuxconf
<brianr007> same goes for Mandrake
<xeno42> I'm not familiar with Mandrake, but it's probably the same
<xeno42> SuSE has Yast
<xeno42> ie. most of the beginner-oriented distributions have one main tool used to configure all the main settings
<xeno42> Distributions like Debian and Slackware, on the other hand, are another matter
<ElectricElf> Debian: A configuration file(usually edited by hand), /etc/network/interfaces, and a command('/etc/init.d/networking restart').
<xeno42> you'll probably be editing files by hand in those instances
<lcmoderator> <Saltbread> could you tell Xeno that under Red Hat that linuxconf is being depreciated...i.e there are no longer gonna be putting it into their distribution...
* xeno42 runs Debian personally
<xeno42> no doubt the configuration tools for Redhat et al are available from a menu on the desktop
<brianr007> but it's nice to know the files, just in case the nifty tool is unavailable
<lcmoderator> Saltbread> tell him he can use "setup" from the console prompt under Red Hat...that has a built in menu program the covers that sort of thing...
<brianr007> for the average user, hand-editing files isn't the right way to go ...
<brianr007> the networking HOW-TOs (available at linux.com) cover this in good detail
<brianr007> but, most folks can rely on their distribution-provided tools
<brianr007> most of which run in the fun colors of X
<brianr007> We're at a good point for questions from the audience ...
<brianr007> I know we've probably missed what a lot of people wanted to talk about ...
<lcmoderator> <OpSo-user> what are the tools to use, to get a proxy with GNU/Linux as server and Win32 as clients?
<brianr007> Proxy? Does it have to be proxy, or just connection sharing in general?
<brianr007> The two are very different ...
<xeno42> OpSo-user: If you want a real web proxy, the application you're looking for is called Squid. If you just want to share a connection then that's another matter
>brianr007< let me know when you want me to unmoderate it and we'll open it up for general q&a/discussion
<brianr007> Proxy is like what AOL does ... no, not sending 10,000,000 free CDs in the mail ...
<brianr007> Proxy basically caches internet content (websites) on a computer ...
<brianr007> then everybody else on the network uses that cache as their web content
<brianr007> proxy has serious problems with any site that updates content on a regular basis
<brianr007> (like cnn.com, message boards or any cartoon site)
<brianr007> that's why so many sites have disclaimers about access via AOL
<brianr007> If you ABSOLUTELY have to have it ... ther's a HOW-TO (yippie)
<brianr007> http://linux.com/howto/mini/Proxy-ARP-Subnet/index.html
<xeno42> er
<xeno42> i don't think that's the one you mean
<brianr007> well, perhaps I grabbed the wrong HOW-TO
<brianr007> ARP ... geez, I hit the Smithsonian section of linux.com for that ...
<brianr007> damn you right-click ... damn you!!!!!!!!!!!!!!
<brianr007> anyway, I'm sure somebody will find the right one on Linux.com ... it does exist
<brianr007> but (IMHO) Proxy may not be the way to go ona new setup
<lcmoderator> <Kingsqueak> caching proxies have very serious utility when doing content filtering as they avoid the burden of refiltering commonly fetched pages in those situations. This is quite common in corporate networking configurations. Additionally most proxies have the ability to setup cache expirations by domains, so commonly accessed domains such as cnn.com can have a 30min expiration for refresh or less.
<brianr007> Kingsqueak: yes, they do have their place ...
<brianr007> anyway ... any other questions?
<lcmoderator> no questions here
<brianr007> ok, then we can open the room to a free-for-all-Texas-information-battle-royal ...
--- starlady sets mode -m
<brianr007> or take this party down the street
<starlady> thanks very much brianr007, xeno42, and everyone else who participated
* brianr007 bows
--- ElectricElf removes voice from ElectricElf
--- lcmoderator is now known as influx
* brianr007 hopes this helps somebody
<starlady> logs will be posted on linux.com by week's end
<brianr007> don't forget to check linux.com for upcoming Live! events
<sparky> can you answer just one more question?
<ElectricElf> Proxies are a (more primitive, in my opinion) form of connection-sharing. Instead of just attempting to make connections, the client application *asks* the proxy to make the connection, explicitly. While that sort of setup has advantages, it is not as flexible as Network Address Translation and Masquerading. As such, there are many different types of proxies, like Squid the http/ftp proxy. So to be able to answer that question, more inf
<starlady> right, tomorrow we're setting up a firewall
<ElectricElf> OpSo-user: So would you like to refine your question further?
<brianr007> sparky: fire!
<OpSo-user> OpSo-user: nope, thanks anyway :)
<ElectricElf> OpSo-user: Heh :) Gotcha ;)
<OpSo-user> lol
<sparky> I've got two NICs, I understand that there's a way to have only one IP for both, is this correct?
<sparky> Both NICs are in one box (running RH 7.1)
<brianr007> well, sort of ... that's not a typical configuration (or necessarily recommended)
--- starlady has changed the topic to: #live Welcome to Linux.com Live! Our next event is "Configuring A Firewall With Linux", Wednesday at 6PM PDT.
<brianr007> xeno42: help me with sparky here ...
<xeno42> uh
<xeno42> sparky: what are you trying to achieve exactly?
<m0rt> two nics are usually used for a linux router bridging two networks
<sparky> The two NICs I have, one USB and one PCMCIA. I have to deactivate one or the other to comm with the NT 4.0 box, I was hoping there was some way
<sparky> to have both operating so that when I change from the slower USB to the faster PCMCIA (for file xfer) I wouldn't have to deactivate/activate one over the other.
<brianr007> sparky: so both NICs are on the same network with the NT box?
<brianr007> sparky: that's not a a typical configuration
<sparky> yep. but the PCMCIA runs hot, so I like to use USB unless a large file xfer is needed.
<brianr007> well ...
<brianr007> you can give each NIC a different IP address, and pick the IP based on the transfer type
<m0rt> i don't think it would damage it even if you put a high load on it
<brianr007> everything PCMCIA runs hot
<brianr007> it's designed to
<brianr007> just take the laptop off of your lap when sending over 100 MB ;)
<m0rt> i wouldn't worry about it
<m0rt> it's sort of awkward to do what you are attempting to do
<Kingsqueak> a hint, make sure the USB interface is forced to the proper transfer mode, some interfaces take a 15% performance hit when left in 'auto' mode
<Kingsqueak> that is if the driver supports forcing full-duplex or half-duplex
<brianr007> well, USB does suck as a network interface ...
<brianr007> a 10baseT connection eats all of your USB bandwidth ...
<brianr007> so I'd use the PCMCIA whenever available
--- ChanServ gives channel operator status to Beret
<sparky> they both run full-duplex @ 100 Mbps, but as you know, USB is only about half the speed due to its limitations (at least until 2.0 is out), but I try to keep this Dell Inspiron 7000 running as cool as possible. At least now I can use the USB adapter (couldn't when running RH 5.2). I just thought I had read somewhere that you could "ghost" one adapter to use the same IP as another installed in the same system.
<brianr007> er, no sparky
<brianr007> USB runs (at best) 12 Mbps
<brianr007> add about 10% for transaction overhead ... and that's a full-duplex 10BaseT connection
<m0rt> does anyone here know if the Intel Inbusiness 10/100 8 port switch is good, or should i spend the extra on a similar 3com?
<Saltbread> brianr007: or anyone else, which is faster usb, printer or serial ports?
<ElectricElf> m0rt: I've had good luck with Intel networking hardware. Never specifically switches, though.
<brianr007> sparky: you can make one ethernet adapter run multiple addresses, but the other way around is kinda weird
<influx> i'm happy with my dlink 8 port switch
<m0rt> influx: how much did you pay for it?
<brianr007> Saltbread: USB, printer, then serial (in descending order)
<influx> about $60 if i remember
<m0rt> hrm
<lazarus> how plausible is it to have two separate cables between the two machines?
<brianr007> sparky: the problem with making two cards handle one IP address ...
<Saltbread> alright I got a weird question: how plausible is it to have bought an external USR modem and a cable to connect to your computer and the cable not be a RS232 cable but the modem still work
<brianr007> sparky: is that TCP/IP packets have this annoying habit of arriving out of order
<brianr007> sparky: so it's hard to sort packets from two interfaces that are trying to look like one IP
<m0rt> Saltbread: the 5686D?
<Saltbread> nah....that one is the new Performance modem...I'm talking about the older V90 based USR modems...
<Saltbread> I doubt they make them anymore...
<m0rt> oh
<brianr007> Saltbread: what is is hooked up to?
<sparky> I don't have two cables, just one. I unplug the USB when switching over to the PCMCIA, but then I have to deactivate one and activate the other. This seems to throw the NT box into the ozone for a bit before things get squared. Thanks for the feedback, tho!
<brianr007> sparky: it's not confusing the NT box, it's confusing your hub
<Saltbread> you see my problem is that I have one and it doesn't do 56k connections very well...it may connect anywhere between 44000 and 45333 but the connection rates are always up and down....when I force the modem (using init settings) to 33.6 connections, no matter what I download I get constant 3.6-3.8 downloads as you might expect...but when I let the modem connect at whatever it wants to connect at, inconsistency
<brianr007> sparky: see, every network card has something called a MAC address
<brianr007> sparky: that's what your hub uses to move stuff from one port to the next (it's somewhat intelligent)
<sparky> Ah, bet you're right. It's actually the switch, tho an active hub would store the MACs, too.
<brianr007> sparky: so your hub has this internal link between your PC's IP, MAC & port number
--- Beret is now known as Beret_afk
<brianr007> sparky: change one, and the hub has to re-do it's route scheme
<brianr007> sparky: the hubs we used to have at work did this all the time ... get a new IP, wait forever to pass traffic again
<brianr007> (we threw them away)
<Saltbread> I borrowed a friend's modem....the USR 2677 I believe...it is the one featured every month in PCGamer in the back when they are talking about the best equipment for your system...anyway, his modem connects around 45333 and downloads like a dream...very consistent...that's why I wondered if an external modem with a non RS232 cable could explain my problems
<brianr007> Saltbread: internal or external? software or hardware data-pump?
<brianr007> Saltbread: that makes a big difference
<Saltbread> even more interesting is the fact that I bought a Dlink USB DU-560M (it's the Latin American version of the DSB560 usb modem) recently and I got the same shitty results when letting the modem connect at whatever it wanted to... do I assume it is an external modem problem?
<Saltbread> it's a hardware modem...at least I assume so since it is external....
<brianr007> Saltbread: most USB modems won't be hardware-based (and most Dlink modems are scary)
<brianr007> Saltbread: external serial-port modems are still the best (they're just expensive and hard to find)
<Saltbread> brianr007: well I found out that the North American version is hardware-based or at least complies with ACM...the South American version doesn't...
<m0rt> the 3com USR 5685D is nice
<m0rt> and i think you can get it for under $80
<m0rt> it's the newest USR external serial 56k
<Saltbread> brianr007: well...recently (as in yesterday) I discovered that my modem could be flash updated to V92 based code...
<Saltbread> so I did just that and upgraded it....
<Saltbread> unfortunately, my ISP doesn't support V92....
<brianr007> Saltbread: very few support V92
<Saltbread> since the update, the modem has been connecting at paltry connection rates....REALLY REALLY paltry....
<brianr007> Saltbread: V92 is a last chance for modems to do anything new (and many phone lines won't support it)
<lazarus> V92?
<Saltbread> e.g first time out it was 32.2, then 29.2 then 38.something etc...I just don't know what to do...I have been looking into getting one like my friend but money is a major consideration...
<lazarus> how does V92 differ from V90? (in a nutshell)
<brianr007> like V90, but supposed to give high-speed both ways
<brianr007> instead of just downstream
<brianr007> it suffers from the same problems that V90 did when it first came out ... phone line wiring problems, lack of ISP support, bad 1st generation firmware upgrades
<Saltbread> There are selling a V92 external USR in a store here...and a ISA based USR as well...short of buying one like my friend's off the net, I am stumped as to what to do...
<m0rt> people don't really care now since cable and dsl are becoming more common
<m0rt> so i guess the ISPs aren't rushing to implement it
<lazarus> and isps are probably less willing now to upgrade hardware, with less new customers likely
<lazarus> exactly
<brianr007> m0rt: exactly ... modem vendors needed something new as excuse to charge more for a dying product line
<brianr007> modems are becomming a commodity item
<brianr007> they're easily emulated with little software, and can be bought for under $20 in a PC shop
<m0rt> i just wish DSL/cable were available where i live :(
<Saltbread> I wish I could convince little old Barbados ISPs of that...there is DSL here now but it is unaffordable...whats more....not all of the telephone lines are DSL technology....
<Saltbread> the whole thing is just annoying me....
<brianr007> hey, It's still a problem in the US
<brianr007> I had to beat on my telco for 9 months to get DSL ... and I'm 25 miles from Atlanta
<m0rt> they have DSL 3 blocks down from me but not where i live :(
<Saltbread> oh btw guys, will` said to tell you guys thanks for the info....he plans to make the jump to Linux soon hopefully....
<brianr007> the home of the telco I was beating on
<brianr007> cool
<Saltbread> the only solution I see working for me for sure is a new modem like my friends or the one that I think m0rt mentioned...
--- You are now known as star_sleep
<Saltbread> the new Performance Pro or something like that it is called...
<brianr007> anyway, I'm going to smack X4 into submission (try to play nice with my notebook's Nvidia GeForce2)
<m0rt> or you could just get some cheap internal PCI job =)
<brianr007> nite

All IRC Live! events are moderated. This means that audience members message their questions to the moderator and the moderator asks questions in the channel, so any question that comes from 'lcModerator' is a question from an audience member. Thanks and enjoy the log.

Jeff McClure, a Linux.com contributor, who is also experienced in setting up and maintaining his own firewall, discussed some of the basics that need to be known before configuring your own firewall. ElectricElf also helped out by answering some of the questions asked during the event.

<lcModerator> if you have qestions please direct them to me, and I will forward them to our host
-lcModerator- I am yes
<Wintersun> Okay, I'd like to welcome everyone to #live!
<lcModerator> please feel free to /msg lcModerator your questions I will post them to channel
<Wintersun> Tonight, Jeff McClure (aka jeffie) will be talking about configuring a firewall with linux
<Wintersun> yes, please /msg lcModerator any questions you have and he will ask them at the right time.
<jeffie> Well, I guess that means I'm on.
<Wintersun> yes, it does. :)
<jeffie> Hello, everyone. Wintersun asked me to host tonight's chat mostly because of my personal experience setting up a Linux machine as a firewall.
<jeffie> Tonight, I'm going to try to give some introductory notes on how to make this work.
<jeffie> First, probably some definitions are in order:
<jeffie> A firewall is a computer which is connected to two different networks and serves as the "traffic cop" (so to speak) between those networks.
<jeffie> Firewalls are most commonly used as a means of restricting the types of traffic that can travel between the two networks.
<lcModerator> <buzzsaw> what is the differencew between a PRoxy and a firewall
<jeffie> A proxy is actually a way across the firewall...
<jeffie> It is a piece of software that accepts traffic from one network and hands it across to the other network in a controlled manner.
<jeffie> One example is a company using a web proxy to allow access to the web from the inside without actually allowing inside computers to connect directly to outside computers.
<jeffie> ...usually for security reasons.
<ElectricElf> buzzsaw_: A firewall, typically, intercepts network packets and makes decisions on both the contents of the packet as well as the header information ... stuff like destination address, source address, so on and so forth. Ports and the like. What it decisions it makes depends mostly on the firewall software itself; the simplest would simply say "okay, you can continue" or "no, I'm afraid I'm going to stop you". Generally firewalls arn't
<ElectricElf> buzzsaw_: Proxies are also more intrusive.
<lcModerator> bastos* Is firewall necessary for a single Linux box network?
<ElectricElf> buzzsaw_: A client application typically has to *ask* the proxy to do its stuff.
<jeffie> EElf: Exactly. With a proxy, the computers on the two networks explicit talk to the proxy machine to pass their traffic.
<jeffie> bastos: I think it's a good idea...
<jeffie> Here's why...
<jeffie> Even with only one computer, malicious traffic can still come from the outside connection...
<jeffie> With firewalling rules in place to allow only wanted packets through, you reduce your risk of being cracked.
<ElectricElf> bastos: Of course, if the computer is completely isolated; ie: no connection to the outside world, *whatsoever*, setting up a firewall is probably superfluous.
<lcModerator> can you elaborate on what Cracked means. Most people feel your cracked only if you lose files or a directory. But it is more then this is it not?
<jeffie> Yes it is.
<jeffie> For one example, can I assume that folks are familiar with what a denial of service attack is? Do we need to define that?
<Wintersun> It would be good to just quickly define it, yes.
<lcModerator> I think for new users yes what is a DoS attack
<jeffie> A denial of service attack is a network attack in which the attacker's aim is to use up some resource (network bandwidth, commonly) so that legitimate traffic can't happen.
<jeffie> One way of being "cracked" that is becoming more common...
<jeffie> is for the attacker to gain access to a large number of computers out on the Internet without the users of those computers being aware...
<jeffie> The attacker then uses the combined resources of these computers to send floods of network traffic to stop the operation of, say, a web site.
<jeffie> Setting up firewall rules can help prevent the attacker from gaining access to your computer in the first place.
<jeffie> That's one example.
<ElectricElf> I would say that "cracked" means that somebody is doing something to, or is doing something *with* your computer, which you are unaware of. Or don't want.
<ElectricElf> In general terms.
<jeffie> That sums it up pretty well. The bad thing is that the default settings in some disrtibutions of Linux leave several system services running and open to attempts.
<jeffie> Shutting down services you don't need is a good first step.
<ElectricElf> Something to note is that Linux can be significantly more powerful than some other, well-known operating systems. As such, somebody who has control over your computer can do a lot of damage.
<jeffie> But restricting access to the ones you _do_ need (I think) is the best next step for anyone not running a truly public server.
<ElectricElf> It should be considered "being a good citizen" to set up a firewall, so that people can't use your computer for nefarious purposes.
<jeffie> Attacks are getting more sophisticated, but...
<lcModerator> <linuxwolf> are their some services that are more prone tot hese attacks then others, and what ports should unless needed always be shut down
<jeffie> Configuring your firewall to simply "drop" (not respond at all) to unwanted packets can actually help slow an attacker down, also.
<jeffie> linuxwolf: Yes...
<jeffie> There are some that have historically had more problems than others.
<jeffie> FTP servers and the Sendmail SMTP server are two of the more notorious.
<jeffie> The key is only allow access to service you actually want to make available, and.....
<jeffie> make sure you're running the latest stable version of any server software.
<jeffie> Also....
<jeffie> I personally do not like to run any service which allows users to send their passwords as clear text.
<jeffie> (although that's more a network sniffing issue than a firewall issue)
<lcModerator> *buzzsaw_* Just what server software is important to keep current?
<ElectricElf> linuxwolf: You should block all ports and services that you don't use. :)
<ElectricElf> linuxwolf: (And carefully examine those you do use, from a security perspective)
<jeffie> Any server software.
<jeffie> Any software has the potential for explotable security holes.
<lcModerator> *Viper233* Could you make a quick comment on sendmails poor security?
<jeffie> Viper233: I'm afraid I don't have enough experience with Sendmail to be specific, but...
<ElectricElf> Viper233: Sendmail was first written ages ago. It performs an important role, but some of the assumptions made way back when don't apply any more.
<jeffie> Sendmail is such a huge program, and it was written before Internet security was a real issue...
<jeffie> Therefore, it is much harder to know where its vulnerabilities lie....
<ElectricElf> Viper233: It's not that Sendmail is bad software, but it is *very* difficult to properly secure a large application like Sendmail. Especially when you didn't write it in the first place.
<lcModerator> *d4ve* jeffie: will you be going into ipchains and the methods you can use ipchains to forward and block specific ports?
<jeffie> d4ve: I can try to get to some of that, but I'm afraid that it's too long a topic to cover completely here....
<jeffie> I am planning, however, to work with Wintersun to do some articles, some of whcih will undoubtedly cover that very topic....
<lcModerator> I think for now if everyone would refsrain from asking questions for a few minutes would be apprecaited. So that our host may actually shopw us how to use a firewall. Then feel free to ask questions
<jeffie> Okay...
* jeffie runs off to grab an example or two
<jeffie> Here's a classic example...
<jeffie> I'm running a box with a Linux 2.4.x kernel, thus the firewall admin tool I use is called "iptables"...
<jeffie> I have a script file whilch is set to run just as my outside network card comes up...
<jeffie> That script conatins various "rules" which allow or drop traffic as I see fit.
<jeffie> One of those rules:
<jeffie> "/sbin/iptables -A INPUT -j DROP -i $EXTIF -p TCP --dport 137:139"
<jeffie> Adds a rule to my "input chain"...
<jeffie> That rule says to drop any TCP packet coming in on my external Ethernet interface which is destined for ports 137 through 139...
<jeffie> Those ports are used for Windows machines to share files, printers, etc....
<lcModerator> netbios ports?
<jeffie> Yes. The NetBIOS ports.
<jeffie> These packets...
<jeffie> form some of the most numerous unwanted packets I see. Most are benign (not cracking attempts), but filtering them allows my machine to not have to process them.
<ElectricElf> Some basics; there are four parts to every connection made; the source IP address, the source port, the destination IP address and the destination's port. When making a connection to a remote server, your own computer will open the connection, typically from a randomly-assigned port. Which port you connect to on the remote machine depends on the service; port 80 for web servers, port 25 for email, so on and so forth.
<lcModerator> So denying access to your cpu to have to process these requests, could actually speed up your connection and how you interact with your machine?
<ElectricElf> That's where jeffie got ports 137 and 139 from, for Windows file sharing(netbios); you can find a list in /etc/services
<jeffie> lcMod: Yes. If the traffic is bad enough.
<ElectricElf> Or your computer is old enough ;)
<jeffie> That too. :) And that's important since you can press a 486 into service as a firewall quite easily.
<lcModerator> I hope allour geuests see a trend here that by denying access to ports and services can make your machine not only. More secure, but run faster
<ElectricElf> And you won't lose all your games and your porn collection. :)
<ElectricElf> And you'll be a good person for denying the use of your machine to those who might use it for malignant purposes.
<jeffie> As for ports, most of the lower-numbered ones (below 1024) are associated with some type of service (again, see /etc/services). Manipulating the firewall rules according to port number gives you quite fine control over things.
<jeffie> also...
<jeffie> Let's say you really want to allow a friend....
<lcModerator> now jeffie how bout we move onto how to shut these puppys down. How do we actually close ports on a machine is the most asked question right now
<jeffie> I'll hold off on that one and answer the question...
<jeffie> The ports get shut down by writing a firewall ruleset with rules that block these lower-numbered ports. The rules for an iptables ruleset will look much (but not exactly) like what I showed earlier. I have a whole list of those...
<jeffie> What I'd like to do is drop a couple of web site addresses at some point...
<jeffie> Which help explain these matters much better than I (and give specifics on the commands).
<jeffie> One thing is that which commands you use depends on what your kernel version is.
<jeffie> How about here: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
<jeffie> for a start.
<jeffie> It's a bit old, but it helps explain the basic concepts.
* jeffie goes for some more
<lcModerator> I may add here the IPchaine and IPmasq how-to's are also excellent resources
<jeffie> For those running 2.4 kernels...
<jeffie> Here's one that gives the lowdown on how the new firewalling code (called Netfilter) works, and how to use the iptables command:
<jeffie> http://netfilter.filewatcher.org/unreliable-guides/index.html
<jeffie> I'm sorry I'm not answering directly, but it really is something you have to go study a bit...
<Matt> don't let the "unreliable-guides" put you off
<jeffie> Matt: Not really. This is the official info. It's not easy to follow, but the Howto can help with that.
<jeffie> I've also been told there's an iptables guide on Freshmeat. If you search it, it will come. :)
<jeffie> Here's another that I use for good hints....
<lcModerator> one thing about Linus is there is no lack of information
<jeffie> Exactly. :)
<jeffie> http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html
<jeffie> This is the TrinityOS guide...
<jeffie> This guy basically documents his entire Linux setup and explains what he's doing.
<jeffie> His sections on firewalling gave me a lot of insight (and some cool tricks).
<lcModerator> so how do we go about setting up a firewall jeffie, what does a new user to have installed as basics?
<jeffie> As basics...any of the latest version Linux distros (I'm most familiar with Debian) should have a kernel which is built to handle this type of stuff...
<jeffie> You will need to also install the appropriate admin package (iptables for 2.4, ipchains for 2.2)
<jeffie> For simple firewalling, there's not much else in the way of tools you really need.
<jeffie> Basically, just research the firewall rulesets (pay SPECIAL attention to what order the rules go in...that tripped me up several times)...
<lcModerator> ah a question from a user on anothernet " Is webadmin a risk, or can it be used to create/admin a firewall"
<jeffie> webadmin.... It depends on how it's handled...
<jeffie> If you block access to it from the outside (another rule! :) ) then you should be okay...
<jeffie> If you REALLY need outside access, then PLEASE use a secure web server (ApacheSSL, Apache with ModSSL, etc.)
<jeffie> And good authentication with it!
<jeffie> (That's another topic)
<lcModerator> *bastos* Does installing a firewall interfere with some client softwares like streamin audio and irc on a newbie?with
<jeffie> I use web-based admin for Samba on my box, but only allow access from the inside network.
<jeffie> Bastos: If you set your rules wrong, it can. Also...
<jeffie> However, if you're talking about oter machines on the "inside" network...
<jeffie> that use the firewall as a "NAT" or "IP Masquerading" box, there are other reasons why streaming media might be tougher....
<jeffie> In my own experience, if you craft your rules right...
<jeffie> RealPlayer and QuickTime don't have much of a problem...
<jeffie> And the problems they _do_ have are more due to the NAT aspects then the firewall aspects...
<jeffie> If the fireall gets in the way, you can always open a specific hole.
<lcModerator> *aikisensei* what about IDS and how it can be used to augment a firewall?
<jeffie> I'm afraid I'm unfamiliar with that term.
<lcModerator> configuring rules to only allow certain IP's, what about IP spoofing and TCP sequence prediction?
<jeffie> You're right...
<lcModerator> *aikisensei* Intrusion Detection System
<jeffie> IP spoofing can get around your rules. However....
<jeffie> It's really only good for denial of service attacks....
<jeffie> Think about it. If the attacker fakes his IP, the connection traffic can't get back to him. In my own experience...
<jeffie> I don't see a lot of what looks like spoofing, and if someone wants to DoS you, there's really nothing you can do about it at your machine.
<jeffie> In other words, IP spoofing doesn't bother me much. I
<jeffie> IDS....
<lcModerator> aikisensei: with I will not post yopur last request only because it would lead to an entire nites questions
<jeffie> I personally don't use one (I just try to read my log files), but...
<jeffie> If you set up an IDS carefully, then it can certainly save a lot of work reading those logs...
<jeffie> HOWEVER...
<jeffie> If an IDS flags something, please be sure it's really an intrusion attempt before you fly off the handle...
<jeffie> I bugged a LOT of ISPs needlessly at first because I thought NetBIOS traffic was malicious. :)
<lcModerator> I alos did my ISp cause of internal VPN traffic
<lcModerator> cable ISP's where notorius for carrying normal VPN over our lines
<jeffie> Very good point.
<jeffie> And I didn't even need an IDS to make me do it. :)
<lcModerator> I thought it was attacks, turned out was the CEO having a meeting
<jeffie> I tried setting up Tripwire once. I gave up when I saw how much configuration was necessary.
<jeffie> I know this doesn't really scratch the surface as a how-to on setting up a firewall, but I'm afraid there's not a good all-in-one way of explaining it...
<jeffie> I'm encouraged by some tools out there that may help with that soon.
<lcModerator> everyone is still frree to ask questions, or I will let Jeffie enjoy his dinner and un-moderate the channel
<lcModerator> He can not answer Distro specific quesations, or is IPchains better then IPtables as they are really mute points
<lcModerator> *Viper233* what value is used for $EXTIF ? some awk/sed on ifconfig results?
<jeffie> Viper: Yes...
<jeffie> That contains the name ("eth1") of my external Ethernet adapter. I got that trick from TrinityOS.
<jeffie> It's actually just set in the script...
<jeffie> However, here's a handy bit I got from that same source:
<jeffie> EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s
<jeffie> EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
<jeffie> That one gets you the address of your interface. That can be quite handy in the rules for dynamic IPs.
<lcModerator> any other questions?
<lcModerator> Thewn I wish to thank all of you for joining us, and to Jeff for taking time out of his night to introduce you to the power of firewalls
<jeffie> I hope it helped.
<jeffie> I'll try to gather some more info and do some articles with Wintersun.
<lcModerator> Thnke you Jeff for taking time to answer our guests questions, and thank you everyone that attended. If you missed part of this weeks events. the logs will be on http://www.linux.com in the coming days
<aikisensei> LinuxWolf: why didn't you post my questions?
<LinuxWolf> aikisensei: I can not posat every question
<LinuxWolf> some are asked before etc
<LinuxWolf> I do appologize but it is just not possaable
<aikisensei> yes but I was really curious about the expertise of the ppl answering questions
<LinuxWolf> aikisensei: Jefferie is stil here your more then welcome to ask him
<aikisensei> actually he just left
<LinuxWolf> yes he did I do appologize he did
<LinuxWolf> he has to work i the morning
<buzzsaw_> hum looks like i mised it
<bastos> I guess I would have wanted more details on "/sbin/iptables -A INPUT -j DROP -i $EXTIF -p TCP --dport 137:139"
<LinuxWolf> bastos: it is very hard to get into specifics, also is a newbie week. it is not meant to be sysadmin 303
<buzzsaw> oh well
<LinuxWolf> there is many usrers dont even know what a firewall is, let alone what ipchains or iptables is etc. That is what manpages are for, or when we host advanced topic nights.
<bastos> I think at least I got one thing resolved tonight - that I can install a firewall even though I only have a one box network :-)
<Jeopardy> hmm...I've always had a problem with many manpages
<LinuxWolf> bastos: yes you can a firewall is not more then really a set of rulles that apply to incoming packets. They are allowed or denied. be you have 200 computers or 1 the rules are basically the same. Only difference is machine 120 is allowed to accept requests on a given port
* buzzsaw is away: The space ship came to take me back home. Don't worry they won't keep me for long I will be back.
* buzzsaw is back (gone 00:00:05)
<bastos> One thing with experimenting with a firewall in a one box network is that you can screw up some services already being used by your users. :-)
<LinuxWolf> think of it like you have 5 football teams. but team #3 only allows players over 180cm
<LinuxWolf> that is what a firewall does in all honesty. you apply top join team #3 but are 179.99cm therfore your rejected
<bastos> from this conversation, it seems that mail will be filtered by firewall. But do you do that, or do you use the mail softwares take care of mail filtering?
<LinuxWolf> bastos: thaTS VERY true you can. But also i think most ppl offer al lot of services just because they can. Not because they have to. And that in itself makes it dangerous
<LinuxWolf> Just because you run Linux and can, does nopt mean you should
<bastos> for a Windows convert to Linux, that is intoxicatingly powerful :-)
<LinuxWolf> bastos: yes it is, dont get me wrong it is very intoxicating. But you have to also realize the inherent risks involved by doing so. ANd not knowing how to control it
<LinuxWolf> it the greatest risk
<bastos> The use of firewall infers that one is aware of cyber-intrusions. That is one of the selling points of the current OSS to users of the other OS who are made to be unaware of it or the backdoors.
<bastos> I have neighbors who are interestedly curious. And I need to learn the firewalls now so as not to be embarrassed. :-)
<LinuxWolf> bastos: while learning is a great thing, it is not really an OS based thing. any box is only as good as the person that admins it.
<LinuxWolf> becuase a person has this OS or that OS means nothing really.
<LinuxWolf> NT can be locked down very well, just not a lot of people learn how is all
<LinuxWolf> I could not as I like Linux, but I know a cpl of admins they could make it you cant even get a cup of coffee so to speak from their boxes. But they are exceptions
<LinuxWolf> you either care bastos about security or you dont is the bottom line. the OS really is not relevant for the most part. Some are just easier to exploit or admin is all
<LinuxWolf> anyways I need some dinner, Have a great week all
<sam\seng> When will the log for this night event go online?
Session Close: Fri Sep 28 00:00:00 2001


Session Start: Thu Sep 27 11:20:32 2001

Session Time: Thu Sep 27 11:20:32 2001

Session Close: Fri Sep 28 11:21:24 2001


Session Start: Thu Sep 27 11:24:44 2001

Session Time: Thu Sep 27 11:24:44 2001

<sam\> Wintersun_afk
<sam\> Still here?
<sam\> brainless: Do you when the firewall and home network events will be online at linux.com?
<brainless> sam\: i have no idea :( soryr
<brainless> i shall find out and let u know
<Wintersun> sam\: I'm putting those logs up as we speak. :)
Session Close: Thu Sep 27 13:53:35 2001


Session Start: Thu Sep 27 15:53:15 2001
<sam\> Wintersun: Sweet, my ISP got into trouble during the event.. so I couldn't log it myself :|
<Wintersun> sam\: We always publish the logs for reasons such as that. If there's ever a log that you're looking for from a previous event, just ask me and I'll do what I can to get it to you.
<Wintersun> also, if you have any ideas for Live! events, feel free to suggest them to me. I'm always up for ideas.
<sam\> Cool :)
<sam\> I got one right here
<sam\> "How to set up you *DSL connection using PPPoE and sharing that connection with the rest of your network"
<sam\> :P
<Wintersun> hrm... how about a more generalized "Setting up DSL and sharing over your network"
<Wintersun> ?
<sam\> Don't forget the using PPPoE, that's the tricky part :P
<sam\> If the ISP isn't using PPPoE you can just put the DSL router as gw and you're set
<sam\> As far as I know atleast..
<Wintersun> absolutely, especially since a lot of ISPs actually still use PPPoE for DSL.
<Wintersun> I'll see if I can hunt down someone who knows how to do that and I'll set it up.
<sam\> Nice! :)
<sam\> It's damn annoying to have a windows workstation as a router.. (reboots all the time), especially when you do almost all the internet activity via the linux server..
<Wintersun> sam\: well, we did do the firewall event last night and the previous night's setting up a network. That could at least get you with a firewall/router box setup for your network that's Linux, not Windows
<sam\> Yeah, I'm gonna use the fw log on my 386 that's coming to me this Saturday
<sam\> The network is covered :P
<Wintersun> Cool.
<sam\> So, it's just the DSL left and I'll be cruisin' the web in style :P
<Wintersun> heh. yeah, I work with a cable modem in my apartment. It's schweet.
<sam\> :)
<sam\> Hey, you wouldn't happen to know any dedicated news posters looking for a site to post news? (Linux related, of course)
<Wintersun> nope, sorry.
<Wintersun> you're more than welcome to write articles for us. :)
<sam\> hehe, I'm looking for writers for my own site :P
<sam\> http://www.linuxminds.net/TeMpOrArY/ *spam*
<sam\> ;P
Session Close: Thu Sep 27 16:58:23 2001