mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
5950ac9e99
commit
17948b4fd0
|
@ -18,12 +18,16 @@
|
|||
<orgname><ulink url="&home;">Thyrsus Enterprises</ulink></orgname>
|
||||
</affiliation>
|
||||
</author>
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
<holder>Eric S. Raymond</holder>
|
||||
</copyright>
|
||||
|
||||
<revhistory>
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
<date>2003-04-25</date>
|
||||
<authorinitials>esr</authorinitials>
|
||||
<revremark>
|
||||
Added link to the linksysmon project. Mare configuration tips.
|
||||
</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.0</revnumber>
|
||||
<date>2003-04-09</date>
|
||||
|
@ -54,15 +58,15 @@ well-suited for use on a home DSL connection and popular among Linux
|
|||
hackers. This HOWTO gives hints and tips for managing Linksys routers
|
||||
from a Linux system.</para>
|
||||
|
||||
<para>The specific recipes described here are derived from experience with
|
||||
a BEFSR41, the 4-port router/firewall box. I have configured a BEFW11S4v2,
|
||||
the 4-port router with 80211b wireless, and it behaves so similarly to the
|
||||
BEFSR41 that I suspect they're using the firmware images mostly generated
|
||||
from common source code — in fact, it wouldn't surprise me if it were
|
||||
the same firmware, doing port tests to figure out what pieces of the user
|
||||
interface it should enable. The firmware and web interfaces on all these
|
||||
blue boxes are very similar, and most of the advice should
|
||||
generalize.</para>
|
||||
<para>The specific recipes described here are derived from long experience
|
||||
with a BEFSR41, the 4-port router/firewall box. I have also configured a
|
||||
BEFW11S4v2, the 4-port router with 80211b wireless, and it behaves so
|
||||
similarly to the BEFSR41 that I suspect they're using the firmware images
|
||||
mostly generated from common source code — in fact, it wouldn't
|
||||
surprise me if it were the same firmware, doing port tests to figure out
|
||||
what pieces of the user interface it should enable. The firmware and web
|
||||
interfaces on all these blue boxes are very similar, and most of the advice
|
||||
should generalize.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="newversions"><title>New versions of this document</title>
|
||||
|
@ -70,7 +74,7 @@ generalize.</para>
|
|||
<para>You can also view the latest version of this HOWTO on the World Wide Web
|
||||
via the URL <ulink url="&howto;Linksys-Blue-Box-Router-HOWTO.html">
|
||||
&howto;Linksys-Blue-Box-HOWTO.html</ulink>.</para>
|
||||
</sect2>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="license"><title>License and Copyright</title>
|
||||
|
||||
|
@ -82,10 +86,12 @@ via the URL <ulink url="&howto;Linksys-Blue-Box-Router-HOWTO.html">
|
|||
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||||
A copy of the license is located at <ulink url="http://www.gnu.org/copyleft/fdl.html">www.gnu.org/copyleft/fdl.html</ulink>.</para>
|
||||
|
||||
<para>Feel free to mail any questions or comments about this HOWTO to
|
||||
Eric S. Raymond, <email>esr@snark.thyrsus.com</email>.</para>
|
||||
<para>Feel free to mail any questions or comments about this HOWTO to Eric
|
||||
S. Raymond, <email>esr@snark.thyrsus.com</email>. But please don't ask me
|
||||
to troubleshoot your general networking problems; if you do, I'll just
|
||||
ignore you.</para>
|
||||
|
||||
</sect2>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="howandwhen"><title>How and where to deploy</title>
|
||||
|
@ -140,12 +146,6 @@ DMZ and port forwarding, are disabled if you have a dynamic address
|
|||
rather than a static (at least, this was true of the BEFSR41 in 2000;
|
||||
later firmware upgrades might be more capable).</para>
|
||||
|
||||
<para>There is a good article on configuring the BEFSR41, and its
|
||||
limitations, at <ulink
|
||||
url="http://www.arstechnica.com/reviews/3q00/linksys/befsr41-2.html">
|
||||
Linksys EtherFast Cable/DSL Router, Model BEFSR41</ulink>. It dates
|
||||
from August of 2000.</para>
|
||||
|
||||
</sect1>
|
||||
<sect1 id="lostmanual"><title>Lost the manual?</title>
|
||||
|
||||
|
@ -158,7 +158,12 @@ PDF and to the Linksys corporate website.</para>
|
|||
|
||||
<para>For security and performance, do these things:</para>
|
||||
|
||||
<para>Make sure the DMZ host feature is disabled (under
|
||||
<para>First, make sure <guibutton>AOL Parental Controls</guibutton>
|
||||
(under <menuchoice><guimenu>Security</guimenu></menuchoice>) is turned off
|
||||
(off is the default); otherwise the Linksys won't pass packets for your
|
||||
Unix box at all.</para>
|
||||
|
||||
<para>For security, make sure the DMZ host feature is disabled (under
|
||||
<menuchoice><guimenu>Advanced</guimenu><guimenuitem>DMZ
|
||||
Host</guimenuitem></menuchoice>). Port forward specific services instead,
|
||||
and as few of those as you can get away with. A good minimum set is 22
|
||||
|
@ -174,21 +179,72 @@ that the Linksys implementation is flaky. While this won't affect
|
|||
operating systems written by <emphasis>competent</emphasis> people, there
|
||||
is no point in having traffic from a bunch of script-kiddie probes even
|
||||
reach your network.</para>
|
||||
|
||||
|
||||
<para>If you want to run a server, you also need to make sure stateful
|
||||
packet inspection is off — this feature restricts incoming packets to
|
||||
those associated with an outbound connection and is intended for heightened
|
||||
security on client-only systems. On the
|
||||
<menuchoice><guimenu>Filters</guimenu></menuchoice> page, make sure
|
||||
<guilabel>SPI</guilabel> is off. If you don't see a radiobutton for SPI,
|
||||
relax — the feature isn't present in all versions of the
|
||||
firmware, and in fact was removed in 1.43 for stability reasons.</para>
|
||||
|
||||
<para>To speed up sending of outbound mail, go to
|
||||
<menuchoice><guimenu>Advanced</guimenu><guimenuitem>Forwarding</guimenuitem></menuchoice>
|
||||
and click the <guibutton>Port Triggering</guibutton> button. Specify 25,25
|
||||
a the trigger port range and 113,113 as its incoming-port range. What this
|
||||
will do is punch a temporary hole through the firewall during each outbound
|
||||
SMTP session that will allow the receiving system to get to port 113, which
|
||||
is identd service. This will enable the receiving SMTP to do an identd
|
||||
check on your connection rather than timing out.</para>
|
||||
|
||||
<para>Some bug was introduced in firmware revision 1.42.3 that broke
|
||||
traceroute. This was fixed in 1.42.6; just upgrade to the latest
|
||||
version.</para>
|
||||
|
||||
</sect1>
|
||||
<sect1 id="Software"><title>Software</title>
|
||||
|
||||
<para>There is a Unix utility called <application>linksysmon</application> that
|
||||
talks with these boxes via SNMP. There is a <ulink
|
||||
url="http://woogie.net/linksysmon/">Linksysmon project site</ulink>.</para>
|
||||
|
||||
<para>Linksysmon is a tool for monitoring Linksys BEFSR41 and BEFSR11
|
||||
firewalls under Linux and other Unix-like operating systems. It accepts
|
||||
log messages from the Linksys, and logs the messages to
|
||||
<filename>/var/log/linksys.log</filename>. It handles the standard activity
|
||||
logs, as well as the <quote>secret</quote> extended logging, and can handle
|
||||
logs from multiple firewalls. When using extended logging, it can detect
|
||||
external IP address changes (if you are using either DHCP or PPPOE) and can
|
||||
call an external program to process the change.</para>
|
||||
|
||||
</sect1>
|
||||
<sect1 id="ts-tips"><title>Troubleshooting tips</title>
|
||||
|
||||
<sect2 id="catatonia"><title>Occasional catatonia</title>
|
||||
<sect2 id="catatonia"><title>Occasional catatonia and epilepsy</title>
|
||||
|
||||
<para>Linksys boxes freeze up occasionally (once every few months) and
|
||||
have to be power-cycled. Suspect this is happening if your outside
|
||||
Web access suddenly stops working; ping the Linksys box to check.</para>
|
||||
|
||||
<para>These catatonic episodes may be related to dirty power; at
|
||||
least, it seems to happen more frequently in association with
|
||||
electrical storms. If you think this has happened, just pull the
|
||||
power connector out of the back and plug it back in. The Linksys
|
||||
should reboot itself within 30 seconds or so.</para>
|
||||
<para>These catatonic episodes may be related to dirty power; at least,
|
||||
they seems to happen more frequently in association with electrical storms
|
||||
and brownouts. If you think this has happened, just pull the power
|
||||
connector out of the back and plug it back in. The Linksys should reboot
|
||||
itself within 30 seconds or so.</para>
|
||||
|
||||
<para>There is a more severe failure mode that I've only seen once; it's
|
||||
more like an epileptic seizure than catatonia, and involves strange blink
|
||||
patterns on the Link, Collision, and 100Mbit diagnostic lights (the 100Mbit
|
||||
light should not normally ever blink).</para>
|
||||
|
||||
<para>If this happens, power-cycling the Linksys won't suffice; you'll have
|
||||
to hard-reset the thing. Some versions (like the BEFSR41) have a reset pin
|
||||
that you poke with a paperclip end through a small hole in the front panel
|
||||
labeled Reset. Some versions (like the BEFW11S4) have a reset button on
|
||||
the back. You have to hold these down for about thirty seconds to
|
||||
hard-reset the nonvolatile RAM. This will lose your configuration
|
||||
settings.</para>
|
||||
|
||||
</sect2>
|
||||
<sect2 id="mozillaquirks"><title>Mozilla interface quirks under 1.38 and earlier firmware</title>
|
||||
|
@ -198,12 +254,13 @@ The normal way to administer one is to point a browser at its IP
|
|||
address on your network. You program the box by filling out HTML
|
||||
forms.</para>
|
||||
|
||||
<para>This is a nice bit of design that neatly avoids having
|
||||
OS-specific client software. But some older versions of the webserver
|
||||
firmware have a quirk that interacts with a bug in Mozilla (at least
|
||||
at release 1.0.1) to make the interface almost unusable. Fortunately,
|
||||
the recovery procedure is trivial. This bug was known to be present
|
||||
as late as 1.38; it is absent in 1.44 and a good reason to upgrade.</para>
|
||||
<para>This is a nice bit of design that neatly avoids having OS-specific
|
||||
client software. But some older versions of the webserver firmware have a
|
||||
quirk that interacts with a bug in Mozilla (at least at release 1.0.1) to
|
||||
make the interface almost unusable. Fortunately, the recovery procedure is
|
||||
trivial. This bug was known to be present as late as 1.40, and also
|
||||
interfered with Netscape; it is absent in 1.44 and a good reason to
|
||||
upgrade.</para>
|
||||
|
||||
<para>The symptom you're likely to see is a broken-image icon at the
|
||||
upper left hand corner of each page. The broken image is a series of
|
||||
|
@ -225,12 +282,17 @@ a race condition. When you hit the window just right, you get an
|
|||
aborted request and a broken graphic.</para>
|
||||
|
||||
<para>Most other browsers are immune to this problem. Konqueror
|
||||
doesn't trigger it.</para>
|
||||
doesn't trigger it. Neither does Internet Explorer.</para>
|
||||
</sect2>
|
||||
|
||||
</sect1>
|
||||
<sect1 id="upgradingfirmware"><title>Upgrading the firmware</title>
|
||||
|
||||
<para>Before you upgrade, here is a tip the documentation does not mention:
|
||||
disconnect all the patch cables except the one from the machine you are
|
||||
using to upgrade the box. Handling a lot of other network traffic while
|
||||
the firmware load is gong on can corrupt the firmware.</para>
|
||||
|
||||
<para>There are three ways you can upgrade your Linksys firmware.</para>
|
||||
|
||||
<para>One is to click the <quote>Upgrade firmware</quote> link on the
|
||||
|
@ -244,9 +306,9 @@ thing happen.</para>
|
|||
from their website. This requires that you boot Windows or use
|
||||
WINE.</para>
|
||||
|
||||
<para>The third way is to use tftp. This is how I did it. There is a
|
||||
tftp client included with Red Hat Linux. To upgrade your firmware
|
||||
this way, do the following steps:</para>
|
||||
<para>The third way is to use <application>tftp</application>. This is how
|
||||
I did it. There is a tftp client included with Red Hat Linux. To upgrade
|
||||
your firmware this way, do the following steps:</para>
|
||||
|
||||
<procedure>
|
||||
<step>
|
||||
|
@ -305,10 +367,20 @@ the firmware version number has changed.</para>
|
|||
|
||||
<para>There is a site called <ulink
|
||||
url="http://www.hansenonline.net/Networking/linksysFW.html">HansenOnline.net</ulink>
|
||||
that seems to be mainly devoted to tracking and critiquing the LinkSys
|
||||
that seems to be mainly devoted to tracking and critiquing the Linksys
|
||||
firmware releases. Alas, the monitoring software it offers is for
|
||||
Windows.</para>
|
||||
|
||||
<para>There is a Linksys tips and tricks <ulink
|
||||
url="http://www.dslreports.com/faq/linksys">FAQ</ulink>; it's mostly
|
||||
Windows stuff, but a few of the war stories may be useful.</para>
|
||||
|
||||
<para>There is a good article on configuring the BEFSR41, and its
|
||||
limitations, at <ulink
|
||||
url="http://www.arstechnica.com/reviews/3q00/linksys/befsr41-2.html">
|
||||
Linksys EtherFast Cable/DSL Router, Model BEFSR41</ulink>. It dates
|
||||
from August of 2000.</para>
|
||||
|
||||
</sect1>
|
||||
</article>
|
||||
|
||||
|
@ -320,4 +392,9 @@ compile-command: "mail -s \"Linksys Blue Box Router HOWTO update\" submit@en.tld
|
|||
End:
|
||||
End:
|
||||
-->
|
||||
|
||||
|
||||
---------------------------------------------------------------------
|
||||
To unsubscribe, e-mail: submit-unsubscribe@en.tldp.org
|
||||
For additional commands, e-mail: submit-help@en.tldp.org
|
||||
|
||||
|
|
Loading…
Reference in New Issue