LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2003-04-25 17:15:35 +00:00
parent 5950ac9e99
commit 17948b4fd0
1 changed files with 119 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
LDP/howto/docbook/Linksys-Blue-Box-Router-HOWTO.xml
View File

@ -18,12 +18,16 @@
<orgname><ulink url="&home;">Thyrsus Enterprises</ulink></orgname>
</affiliation>
</author>
<copyright>
<year>2003</year>
<holder>Eric S. Raymond</holder>
</copyright>
<revhistory>
<revision>
<revnumber>1.1</revnumber>
<date>2003-04-25</date>
<authorinitials>esr</authorinitials>
<revremark>
Added link to the linksysmon project. Mare configuration tips.
</revremark>
</revision>
<revision>
<revnumber>1.0</revnumber>
<date>2003-04-09</date>
@ -54,15 +58,15 @@ well-suited for use on a home DSL connection and popular among Linux
hackers. This HOWTO gives hints and tips for managing Linksys routers
from a Linux system.</para>
<para>The specific recipes described here are derived from experience with
a BEFSR41, the 4-port router/firewall box. I have configured a BEFW11S4v2,
the 4-port router with 80211b wireless, and it behaves so similarly to the
BEFSR41 that I suspect they're using the firmware images mostly generated
from common source code &mdash; in fact, it wouldn't surprise me if it were
the same firmware, doing port tests to figure out what pieces of the user
interface it should enable. The firmware and web interfaces on all these
blue boxes are very similar, and most of the advice should
generalize.</para>
<para>The specific recipes described here are derived from long experience
with a BEFSR41, the 4-port router/firewall box. I have also configured a
BEFW11S4v2, the 4-port router with 80211b wireless, and it behaves so
similarly to the BEFSR41 that I suspect they're using the firmware images
mostly generated from common source code &mdash; in fact, it wouldn't
surprise me if it were the same firmware, doing port tests to figure out
what pieces of the user interface it should enable. The firmware and web
interfaces on all these blue boxes are very similar, and most of the advice
should generalize.</para>
</sect2>
<sect2 id="newversions"><title>New versions of this document</title>
@ -70,7 +74,7 @@ generalize.</para>
<para>You can also view the latest version of this HOWTO on the World Wide Web
via the URL <ulink url="&howto;Linksys-Blue-Box-Router-HOWTO.html">
&howto;Linksys-Blue-Box-HOWTO.html</ulink>.</para>
</sect2>
</sect2>
<sect2 id="license"><title>License and Copyright</title>
@ -82,10 +86,12 @@ via the URL <ulink url="&howto;Linksys-Blue-Box-Router-HOWTO.html">
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is located at <ulink url="http://www.gnu.org/copyleft/fdl.html">www.gnu.org/copyleft/fdl.html</ulink>.</para>
<para>Feel free to mail any questions or comments about this HOWTO to
Eric S. Raymond, <email>esr@snark.thyrsus.com</email>.</para>
<para>Feel free to mail any questions or comments about this HOWTO to Eric
S. Raymond, <email>esr@snark.thyrsus.com</email>. But please don't ask me
to troubleshoot your general networking problems; if you do, I'll just
ignore you.</para>
</sect2>
</sect2>
</sect1>
<sect1 id="howandwhen"><title>How and where to deploy</title>
@ -140,12 +146,6 @@ DMZ and port forwarding, are disabled if you have a dynamic address
rather than a static (at least, this was true of the BEFSR41 in 2000;
later firmware upgrades might be more capable).</para>
<para>There is a good article on configuring the BEFSR41, and its
limitations, at <ulink
url="http://www.arstechnica.com/reviews/3q00/linksys/befsr41-2.html">
Linksys EtherFast Cable/DSL Router, Model BEFSR41</ulink>. It dates
from August of 2000.</para>
</sect1>
<sect1 id="lostmanual"><title>Lost the manual?</title>
@ -158,7 +158,12 @@ PDF and to the Linksys corporate website.</para>
<para>For security and performance, do these things:</para>
<para>Make sure the DMZ host feature is disabled (under
<para>First, make sure <guibutton>AOL Parental Controls</guibutton>
(under <menuchoice><guimenu>Security</guimenu></menuchoice>) is turned off
(off is the default); otherwise the Linksys won't pass packets for your
Unix box at all.</para>
<para>For security, make sure the DMZ host feature is disabled (under
<menuchoice><guimenu>Advanced</guimenu><guimenuitem>DMZ
Host</guimenuitem></menuchoice>). Port forward specific services instead,
and as few of those as you can get away with. A good minimum set is 22
@ -174,21 +179,72 @@ that the Linksys implementation is flaky. While this won't affect
operating systems written by <emphasis>competent</emphasis> people, there
is no point in having traffic from a bunch of script-kiddie probes even
reach your network.</para>
<para>If you want to run a server, you also need to make sure stateful
packet inspection is off &mdash; this feature restricts incoming packets to
those associated with an outbound connection and is intended for heightened
security on client-only systems. On the
<menuchoice><guimenu>Filters</guimenu></menuchoice> page, make sure
<guilabel>SPI</guilabel> is off. If you don't see a radiobutton for SPI,
relax &mdash; the feature isn't present in all versions of the
firmware, and in fact was removed in 1.43 for stability reasons.</para>
<para>To speed up sending of outbound mail, go to
<menuchoice><guimenu>Advanced</guimenu><guimenuitem>Forwarding</guimenuitem></menuchoice>
and click the <guibutton>Port Triggering</guibutton> button. Specify 25,25
a the trigger port range and 113,113 as its incoming-port range. What this
will do is punch a temporary hole through the firewall during each outbound
SMTP session that will allow the receiving system to get to port 113, which
is identd service. This will enable the receiving SMTP to do an identd
check on your connection rather than timing out.</para>
<para>Some bug was introduced in firmware revision 1.42.3 that broke
traceroute. This was fixed in 1.42.6; just upgrade to the latest
version.</para>
</sect1>
<sect1 id="Software"><title>Software</title>
<para>There is a Unix utility called <application>linksysmon</application> that
talks with these boxes via SNMP. There is a <ulink
url="http://woogie.net/linksysmon/">Linksysmon project site</ulink>.</para>
<para>Linksysmon is a tool for monitoring Linksys BEFSR41 and BEFSR11
firewalls under Linux and other Unix-like operating systems. It accepts
log messages from the Linksys, and logs the messages to
<filename>/var/log/linksys.log</filename>. It handles the standard activity
logs, as well as the <quote>secret</quote> extended logging, and can handle
logs from multiple firewalls. When using extended logging, it can detect
external IP address changes (if you are using either DHCP or PPPOE) and can
call an external program to process the change.</para>
</sect1>
<sect1 id="ts-tips"><title>Troubleshooting tips</title>
<sect2 id="catatonia"><title>Occasional catatonia</title>
<sect2 id="catatonia"><title>Occasional catatonia and epilepsy</title>
<para>Linksys boxes freeze up occasionally (once every few months) and
have to be power-cycled. Suspect this is happening if your outside
Web access suddenly stops working; ping the Linksys box to check.</para>
<para>These catatonic episodes may be related to dirty power; at
least, it seems to happen more frequently in association with
electrical storms. If you think this has happened, just pull the
power connector out of the back and plug it back in. The Linksys
should reboot itself within 30 seconds or so.</para>
<para>These catatonic episodes may be related to dirty power; at least,
they seems to happen more frequently in association with electrical storms
and brownouts. If you think this has happened, just pull the power
connector out of the back and plug it back in. The Linksys should reboot
itself within 30 seconds or so.</para>
<para>There is a more severe failure mode that I've only seen once; it's
more like an epileptic seizure than catatonia, and involves strange blink
patterns on the Link, Collision, and 100Mbit diagnostic lights (the 100Mbit
light should not normally ever blink).</para>
<para>If this happens, power-cycling the Linksys won't suffice; you'll have
to hard-reset the thing. Some versions (like the BEFSR41) have a reset pin
that you poke with a paperclip end through a small hole in the front panel
labeled Reset. Some versions (like the BEFW11S4) have a reset button on
the back. You have to hold these down for about thirty seconds to
hard-reset the nonvolatile RAM. This will lose your configuration
settings.</para>
</sect2>
<sect2 id="mozillaquirks"><title>Mozilla interface quirks under 1.38 and earlier firmware</title>
@ -198,12 +254,13 @@ The normal way to administer one is to point a browser at its IP
address on your network. You program the box by filling out HTML
forms.</para>
<para>This is a nice bit of design that neatly avoids having
OS-specific client software. But some older versions of the webserver
firmware have a quirk that interacts with a bug in Mozilla (at least
at release 1.0.1) to make the interface almost unusable. Fortunately,
the recovery procedure is trivial. This bug was known to be present
as late as 1.38; it is absent in 1.44 and a good reason to upgrade.</para>
<para>This is a nice bit of design that neatly avoids having OS-specific
client software. But some older versions of the webserver firmware have a
quirk that interacts with a bug in Mozilla (at least at release 1.0.1) to
make the interface almost unusable. Fortunately, the recovery procedure is
trivial. This bug was known to be present as late as 1.40, and also
interfered with Netscape; it is absent in 1.44 and a good reason to
upgrade.</para>
<para>The symptom you're likely to see is a broken-image icon at the
upper left hand corner of each page. The broken image is a series of
@ -225,12 +282,17 @@ a race condition. When you hit the window just right, you get an
aborted request and a broken graphic.</para>
<para>Most other browsers are immune to this problem. Konqueror
doesn't trigger it.</para>
doesn't trigger it. Neither does Internet Explorer.</para>
</sect2>
</sect1>
<sect1 id="upgradingfirmware"><title>Upgrading the firmware</title>
<para>Before you upgrade, here is a tip the documentation does not mention:
disconnect all the patch cables except the one from the machine you are
using to upgrade the box. Handling a lot of other network traffic while
the firmware load is gong on can corrupt the firmware.</para>
<para>There are three ways you can upgrade your Linksys firmware.</para>
<para>One is to click the <quote>Upgrade firmware</quote> link on the
@ -244,9 +306,9 @@ thing happen.</para>
from their website. This requires that you boot Windows or use
WINE.</para>
<para>The third way is to use tftp. This is how I did it. There is a
tftp client included with Red Hat Linux. To upgrade your firmware
this way, do the following steps:</para>
<para>The third way is to use <application>tftp</application>. This is how
I did it. There is a tftp client included with Red Hat Linux. To upgrade
your firmware this way, do the following steps:</para>
<procedure>
<step>
@ -305,10 +367,20 @@ the firmware version number has changed.</para>
<para>There is a site called <ulink
url="http://www.hansenonline.net/Networking/linksysFW.html">HansenOnline.net</ulink>
that seems to be mainly devoted to tracking and critiquing the LinkSys
that seems to be mainly devoted to tracking and critiquing the Linksys
firmware releases. Alas, the monitoring software it offers is for
Windows.</para>
<para>There is a Linksys tips and tricks <ulink
url="http://www.dslreports.com/faq/linksys">FAQ</ulink>; it's mostly
Windows stuff, but a few of the war stories may be useful.</para>
<para>There is a good article on configuring the BEFSR41, and its
limitations, at <ulink
url="http://www.arstechnica.com/reviews/3q00/linksys/befsr41-2.html">
Linksys EtherFast Cable/DSL Router, Model BEFSR41</ulink>. It dates
from August of 2000.</para>
</sect1>
</article>
@ -320,4 +392,9 @@ compile-command: "mail -s \"Linksys Blue Box Router HOWTO update\" submit@en.tld
End:
End:
-->
---------------------------------------------------------------------
To unsubscribe, e-mail: submit-unsubscribe@en.tldp.org
For additional commands, e-mail: submit-help@en.tldp.org