2604 lines
102 KiB
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<sect1 id="Protocols-Standards-Services">
IEEE (Institute of Electrical and Electronics Engineers) 802 Standards
802.1 Internetworking
802.2 Logical Link Control (LLC)
802.3 CSMA/CD (Ethernet) media access method
802.4 Token bus media access method
802.5 Token Ring Media access method
802.6 Metropolitan Area Netwoks (MANs)
802.7 Broadband technologies
802.8 Fiber optic technologies
802.9 Hybrid (voice and data) networking
802.10 Network security
802.11 Wireless Networking
802.12 High-speed LANs
3.8. Amateur Radio
The Linux kernel has built-in support for amateur radio protocols.
Especially interesting is the AX.25 support. The AX.25 protocol offers
both connected and connectionless modes of operation, and is used
either by itself for point-point links, or to carry other protocols
such as TCP/IP and NetRom.
It is similar to X.25 level 2 in structure, with some extensions to
make it more useful in the amateur radio environment.
· Amateur radio on Linux web site <http://radio.linux.org.au/>
The Network Device Interface Specification (NDIS) is a standard developed
by Microsoft and IBM to enable communication between protocols and network
card drivers. The purpose of NDIS is to abstract the functions of the
network driver so that protocols can work with any driver. NDIS works
within the data link layer of the OSI model.
NDIS allows software components to be written in a modular fashion, and
components that conform to a version of the NDIS specification are
guaranteed to communicate with eachother. The current version of NDIS
is 4.0.
The process of assigning a protocol to a network card is called binding.
NDIS allows multiple protocols to be bound to a single network card,
and multiple network cards to be bound to a single protocol (or multiple
ODI (Open Datalink Interface), devloped by Novell and Apple, is an
implementation of the same functionality. While designed primarily for
the IPX protocol, ODI can be used with any protocol. Netware clients and
servers can have network cards bound to multiple protocols. Microsoft's
implementation of the IPX protocol, NWLink, also supports the ODI standard.
<sect1 id="Appletalk">
Appletalk is the network architecture/internetworking stack developed
by Apple to work with Macintosh computers. It allows a peer-to-peer
network model which provides basic functionality such as file and printer
sharing. Each machine can simultaneously act as a client and a server,
and the software and hardware necessary are included with every Apple
computer. Appletalk actually supports three network transports:
Ethernet, Token Ring, and a dedicated system called Localtalk.
LocalTalk is traditionally wired in a star or hybrid topology using custom
connectors and STP cable. A popular third-party system allows ordinary phone
cable to be used instead of STP. LocalTalk supports up to 32 node per network.
The implementations of Ethernet and Token Ring (EtherTalk and TokenTalk)
support for more sophisticated networks. Localtalk uses CSMA/CA access method.
Rather than detect collisions as with Ethernet, this method requires nodes to
wait a certain amount of time after detecting an existing signal on the network
before attempting to transmit, avoiding most collisions.
Linux provides full Appletalk networking. Netatalk is a kernel-level
implementation of the AppleTalk Protocol Suite, originally for BSD-
derived systems. It includes support for routing AppleTalk, serving
Unix and AFS filesystems over AFP (AppleShare), serving Unix printers
and accessing AppleTalk printers over PAP. Linux systems just show up
as another Macintosh on the network.
- Netatalk faq and HOWTO:
- http://thehamptons.com/anders/netatalk/
- http://www.umich.edu/~rsug/netatalk/
- http://www.umich.edu/~rsug/netatalk/faq.html
<sect1 id="ARCnet">
ARCnet, developed in 1977, by Datapoint Corporation, is an older standard
that has largely been replaced by Ethernet in current networks. ARCnet,
uses RG-62 coaxial cable in a star, bus, or hybrid physical topology. This
networking scheme supports active and passive hubs, which must be connected
to an active hub. ARCnet requries 93-ohm terminators at the end of bus
cables, and on unused ports of passive hubs. It supports UTP, coaxial, or
fiber-optic cable. The distance between nodes is 400 feet with UTP cable,
and higher for coaxial or fiber-optic cable.
ARCnet uses a token-passing scheme similar to that of token ring. ARCnet
networks support a bandwidth of 2.5 Mbps. Newer standards (ARCnet Plus and
TCNS) support speeds of 20 Mbps and 100 Mbps, but have not really caught on.
<sect1 id="ATM">
ATM (Asynchronous Transfer Mode), is a high speed packet switching format
that supports up to 622 Mbps. ATM can be used with T1 and T3 lines, FDDI,
and SONET OC1 and OC3 lines. ATM uses a technology called cell switching.
Data is sent in 53-byte packets called cells. Because packets are small and
uniform in size, they can be quickly routed by hardware switches. ATM uses
a virtual circuit between connection points for high reliability over
high-speed links.
ATM support for Linux is currently in pre-alpha stage. There is an
experimental release, which supports raw ATM connections (PVCs and
SVCs), IP over ATM, LAN emulation....
The Linux ATM-Linux home page is at, <ulink url="http://lrcwww.epfl.ch/linux-atm/"/>.
Werner Almesberger <email>werner.almesberger@lrc.di.epfl.ch</email> is managing a
project to provide Asynchronous Transfer Mode support for Linux.
Current information on the status of the project may be obtained from,
<sect1 id="DDS-Switched56">
DDS (Digital Data Service) and Switched 56 are types of dedicated
digital line provided by phone carriers. DDS lines are more
expensive than dedicated analog lines, but support a more consistent quality.
DDS lines support a speed of 56 Kbps. A device called a CSU/DSU (Channel
Service Unit/Digital Service Unit) is used to connect the network to the
dedicated line.
Switched 56 is an alternative to DDS that provides the same type of
connection, but in a circuit-switched format. The line is available
on demand rather than continuously, and you are billed for the hours that
you use it. ISDN has largely replaced Switched 56 for this purpose.
<sect1 id="DECnet">
Support for DECnet is currently being worked on. You should expect it
to appear in a late 2.1.* kernel.
<sect1 id="DLC">
DLC (Data Link Control) is a transport protocol developed by IBM for SNA
(System Network Architecture), a protocol suite for network communication
with mainframe computers. Particular versions of DLC are called SDLC
(Synchronous Data Link Control) and HDLC (High-level Data Link Control).
Along with its main uses in mainframe communication, DLC is the protocol
used by many network-aware printers such Hewlett-Packard's JetDirect
<sect1 id="EQL">
EQL provides a means of utilizing multiple point to point lines such
as PPP, SLIP or PLIP as a single logical link to carry TCP/IP. Often,
it is cheaper to use multiple lower speed lines than to have one high
speed line installed. In short, EQL is multiple line traffic equaliser.
<sect1 id="Ethernet">
Ethernet is the most common network architecture worldwide. It was developed by Xerox,
Intel and DEC in the late 1960s and revised as Ethernet 2.0 in 1982. Ethernet networks
the CSMA/CD (carrier sense multiple access with collision detection) media access method,
defined in IEEE 802.3.
There are three Ethernet standards for different media:
See P41 of Oreilly "MSCE Networking"
Fast Ethernet
Fast Ethernet, also known as 100BaseT, is a new standard for 100 Mbps Ethernet. Fast Ethernet
can use two-pair Category 5 cable of four-pair Category 3-5 cable.
100BaseT uses a physical star topology identical to that used by 10BaseT, but requires that
all equipment (hubs, NICs, and repeaters) support 100 Mbps speeds. Some NICs and hubs can support
both standards, but all devices on the network need to be configured to use the same standard.
Several manufacturers devleloped 100 Mbps Ethernet devices before 100BaseT became a standard. The
most popular of these, 100VG-AnyLan, is still widely used. This standard uses a demand priority
access method rather than CSMA/CD, and also supports networks that combine Ethernet and Token
Ring packets.
> Start Binh
GigE Ethernet, also known as 1000BaseT or Gigabit Ethernet. GigE can only use Cat 5 cable. GigE uses the same topology as that of Fast Ethernet (ie. physical star topology). Like Fast Ethernet though it requires that hubs/switches on the LAN to be GigE capable. If not it will revert back to
100BaseT, and if this is not available to 10BaseT Ethernet.
It is now often utilized as a more inexpensive option to Optic Fibre.
> End Binh
* Ethernet-Howto
<sect1 id="FDDI">
FDDI (Fiber Distributed Data Interface) is a high-speed, reliable, long-distance
networking scheme often used for network backbones and networks that require
high bandwidth. FDDI uses fiber optic cable wired in a true ring. It supports
speeds up to 100 Mbps and a maximum distance bewteen nodes of 100 kilometers
(62 miles).
FDDI uses token-passing scheme wired into two rings, primary and secondary. The
primary ring is used for normal networking. When a failure is detected, the
secondary ring is used in the opposite direction to compensate for the failure
in the primary ring.
The advantages of FDDI are their high speed, long distance, and reliablity.
The token-passing scheme used by FDDI is also more sophisticated than that
of Token Ring: it allows multiple packets to be on the ring at once, and
allows certain nodes to be given higher priority than the rest. The
disadvantage of FDDI is its high cost and the difficult in installing and
maintaing fiber optic cable.
<sect1 id="Frame-Relay">
Frame relay is a protocol used with leased lines to support speeds up to
1.544 Mbps. Frame realy uses packet switching over a phone company's
network. Frame realy connections use a virtual circuit, called
a PVC (private virtual circuit), to establish connections. Once established,
connections use a low overhead and do not provide error correction.
A frame realy compatible router is used to attach the LAN to the frame
relay line. Frame relay lines are available in speeds ranging from 56 Kbps
to 1.544 Mbps, and varying proportionally in cost. One advantage of frame
relay is that bandwidth is available on demand: you can install a line
at 56 Kbps and later upgrade it to a higher speed by ordering the service
from the carrier, usually without replacing any equipment.
It was specifically designed and is well suited to data communications traffic
that is of a `bursty' or intermittent nature. You connect to a Frame Relay
network using a Frame Relay Access Device (FRAD). The Linux Frame Relay
supports IP over Frame Relay as described in RFC-1490.
<sect1 id="NetBEUI">
NetBEUI (NetBIOS Extended User Interface) is a transport-layer protocol
developed by Microsoft and IBM. NetBEUI was mainly intended as a basic
protocol to support NetBIOS (Network Basic Input/Output System), the
Windows standard for workstation naming, communications, and file sharing.
NetBEUI is a fast protocol with a low overhead, which makes it a good
choice for small networks. However, it is a non-routable protocol.
Networks that use NetBEUI can be use bridges for traffic management,
but cannot use routers. Another disadvantage is its proprietary nature.
NetBEUI is supported by few systems other than Windows.
Although NetBEUI was developed by Microsoft and was the default protocol
for some operating systems (such as Windows for Workgroups and Windows 95),
Microsoft recommends TCP/IP over NetBEUI for most Windows NT networks.
<sect1 id="IPX">
IPX and SPX are proprietary protocols that were developed during the
early 1980s by Novell for use in NetWare networks.
NetWare became the de facto standard network operating system (NOS) of
first generation LANs. Novell complemented its NOS with a
business-oriented application suite and client-side connection utilities.
They were based on protocols used in Xerox's XNS (Xerox Network Systems)
network architecture.
IPX (Internetwork Packet Exchange) is a connectionless protocol that works
at the network layer of the OSI model, and SPX (Sequenced Packet Exchange)
is a connection-orientated protocol that works at the transport layer.
These protocols are often easier to configure than TCP/IP and are routable,
so they make a good alternative for some networks, particularly small
peer-to-peer networks. However, TCP/IP is more suitable for larger
LANs and WANs.
Frame types are one aspect of IPX networks that sometimes does require
configuration. The frame type determines the order and type of data included
in the packet. Typical frame types used in NetWare networks
802.2 and 802.3.
Linux has a very clean IPX/SPX implementation, allowing it to be
configured as an:
· IPX router
· IPX bridge
· NCP client and/or NCP Server (for sharing files)
· Novell Print Client, Novell Print Server
And to:
· Enable PPP/IPX, allowing a Linux box to act as a PPP server/client
· Perform IPX tunnelling through IP, allowing the connection of two
IPX networks through an IP only link
<sect1 id="Leased-Line">
Any fixed, that is permanent, point to point data communications link,
which is leased from a telco or similar organisation. The leased line
involves cables, such as twisted pair, coax or fiber optic, and may
involve all sorts of other hardware such as (pupin) coils,
transformers, amplifiers and regenerators.
A T1 line is a high-speed, dedicated, point-to-point leased line that
includes 24 seperate 64 Kbps channles for voice and data. Other lines
of this type, called T-carrier lines, support larger numbers of channels.
T1 and T3 lines are the most commonly used.
Carrier Channels Total Bandwidth
T1 24 1.544 Mbps
T2 96 6.312 Mbps
T3 672 44.736 Mbps
T4 4032 274.176 Mbps
While the specification for T-carrier lines does not mandate a particular
media type, T1 and T2 are typically carried on copper, and T3 and T4
typically use fiber optic media. DS1, DS2, DS3, and DS4 are an alternate
type of line equivalent to T1-T4, and typically use fiber optic media.
SONET (Synchronous Optical Network)
A leased-line system using fiber optic media to support data speeds up to
2.4 Gbps. SONET services are sold based on optical carier (OC) levels. OC
levels are calculated as multiples of the OC-1 speed, 51.840 Mbps. For
example, OC-3 level would correspond with a data speed of 155 Mbps and
OC-12 level would equate to a data transfer rate of 622 Mbps. OC-1 and
OC-3 are the most commonly used SONET lines.
<sect1 id="PLIP">
PLIP (Parallel Line IP), is like SLIP, in that it is used for
providing a point to point network connection between two machines,
except that it is designed to use the parallel printer ports on your
machine instead of the serial ports (a cabling diagram in included in
the cabling diagram section later in this document). Because it is
possible to transfer more than one bit at a time with a parallel port,
it is possible to attain higher speeds with the plip interface than
with a standard serial device. In addition, even the simplest of
parallel ports, printer ports, can be used in lieu of you having to
purchase comparatively expensive 16550AFN UART's for your serial
ports. PLIP uses a lot of CPU compared to a serial link and is most
certainly not a good option if you can obtain some cheap ethernet
cards, but it will work when nothing else is available and will work
quite well. You should expect a data transfer rate of about 20
kilobytes per second when a link is running well.
PLIP allows the cheap connection of two machines.
It uses a parallel port and a special cable, achieving speeds of
10kBps to 20kBps.
- Networking HOWTO
<sect1 id="PPP-and-SLIP">
<title>PPP and SLIP</title>
The Linux kernel has built-in support for PPP (Point-to-Point-
Protocol) and SLIP (Serial Line IP). PPP is the most popular
way individual users access their ISPs (Internet Service
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/PPP-HOWTO.html">Linux PPP HOWTO</ulink>
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/mini/SLIP-PPP-Emulator.html">PPP/SLIP emulator</ulink>
<sect1 id="Token-Ring">
The Token Ring architecture is defined in IEEE 802.5. IBM has further defined
the standard to include particular types of devices and cables. Token Ring uses
a logical ring topology and a physical star topology. The hubs for Token Rung
are called multistation access units, or MAUs.
The Token Ring standard supports either 4 Mbps or 16 Mbps speeds. Cable can be
STP, UTP, or fiber. One popular wiring scheme uses Category 5 cable. There are
also a varity of cable types defined by IBM (referred to as Type 1 through
Type 9). Distances between nodes can range from 45 meters for UTP to a kilometer
or more for fiber optic cable.
Token Ring networks use a token-passing access scheme. A token data frame is
passed from one computer to the net around the ring. Each computer can
transmit data only when it has the token. This access method provides equal
access to the network for all nodes, and handles heavy loads better than
Ethernet's contention-based method.
The nodes in a Token Ring network monitor each other for reliablity. The
first computer in the network becomes an Active Monitor, and the others
are Passive Monitors. Each computer monitors its nearest upstream
neighbour. When an error occurs, the computer broadcasts a beacon packet
indicating the error.
The NICs in all computers respond to the beacon by running self-tests, and
removing themselves from the network if necessary. Node in the network can
also automatically remove packets sent to a computer that is having a
problem. This makes Token Ring a reliable choice for networking.
- Token-Ring HOWTO
<sect1 id="X25">
X.25 is a circuit based protocol developed in the 1970s for packet switching
by the C.C.I.T.T. (a standards body recognized by Telecommunications
companies in most parts of the world), allowing customers to share access to
a PDN (Public Data Network). These networks, such as Sprintnet and Tymnet,
were the most practical way to connect large companies at the time,
and are still used by some companies. PDNs are networks that have local
dial-up access points in cities throughout the country and use dedicated lines
to network between these cities. Companies would dial up in two locations to
connect their computers.
Computers, routers, or other devices that access a PDN using the X.25
protocols are called data terminal equipment, or DTEs. DTEs without built-in
support for X.25 is a protocol with a relatively high overhead, since it
provides error control and accounting for users of the network.
The X.25 protocol supports speeds up to 64 Kbps. This makes it impractical for
many networks, but it is an inexpensive alternative for low-bandwidth
applications. X,25 is a protocol with a relatively high overhead, since it
provides error control and accouting for users of the network.
<sect1 id="IPv6">
2.1. What is IPv6?
IPv6, sometimes also referred to as IPng (IP Next Generation)
is a new layer 3 protocol (see [http://www.linuxports.com/howto/
intro_to_networking/c4412.htm#PAGE103HTML] linuxports/howto/
intro_to_networking/ISO - OSI Model) which will supersede IPv4 (also known as
It was designed to address many issues including, the shortage of
available IP addresses, lack of mechanisms to handle time-sensitive
traffic, lack of network layer security, etc.
IPv4 was designed long time ago ([http://www.faqs.org/rfcs/rfc760.html]
RFC 760 / Internet Protocol from January 1980) and since its inception, there
have been many requests for more addresses and enhanced capabilities. Latest
RFC is [http://www.faqs.org/rfcs/rfc2460.html] RFC 2460 / Internet Protocol
Version 6 Specification. Major changes in IPv6 are the redesign of the
header, including the increase of address size from 32 bits to 128 bits.
Because layer 3 is responsible for end-to-end packet transport using packet
routing based on addresses, it must include the new IPv6 addresses (source
and destination), like IPv4. It is anticpated that the larger name space
and accompanying improved addressing scheme, which will prove to provide
a major improvement on routing performance.
For more information about the IPv6 history take a look at older IPv6 related
RFCs listed e.g. at [http://www.switch.ch/lan/ipv6/references.html] SWITCH
IPv6 Pilot / References.
2.2. History of IPv6 in Linux
The years 1992, 1993 and 1994 of the IPv6 History (in general) are covered by
following document: [http://www.laynetworks.com/users/webs/IPv6.htm#CH3] IPv6
or IPng (IP next generation).
To-do: better time-line, more content...
2.2.1. Beginning
The first IPv6 related network code was added to the Linux kernel 2.1.8 in
November 1996 by Pedro Roque. It was based on the BSD API:
diff -u --recursive --new-file v2.1.7/linux/include/linux/in6.h
¬ linux/include/linux/in6.h
--- v2.1.7/linux/include/linux/in6.h Thu Jan 1 02:00:00 1970
+++ linux/include/linux/in6.h Sun Nov 3 11:04:42 1996
@@ -0,0 +1,99 @@
+ * Types and definitions for AF_INET6
+ * Linux INET6 implementation
+ * + * Authors:
+ * Pedro Roque <******>
+ *
+ * Source:
+ * IPv6 Program Interfaces for BSD Systems
+ * <draft-ietf-ipngwg-bsd-api-05.txt>
The shown lines were copied from patch-2.1.8 (e-mail address was blanked on
2.2.2. In between
Because of lack of manpower, the IPv6 implementation in the kernel was unable
to follow the discussed drafts or newly released RFCs. In October 2000, a
project was started in Japan, called [http://www.linux-ipv6.org/] USAGI,
whose aim was to implement all missing, or outdated IPv6 support in Linux. It
tracks the current IPv6 implementation in FreeBSD made by the [http://
www.kame.net/] KAME project. From time to time they create snapshots against
current vanilla Linux kernel sources.
2.2.3. Current
Unfortunately, the [http://www.linux-ipv6.org/] USAGI patch is so big, that
current Linux networking maintainers are unable to include it in the
production source of the Linux kernel 2.4.x series. Therefore the 2.4.x
series is missing some (many) extensions and also does not confirm to all
current drafts and RFCs (see [http://www.ietf.org/html.charters/
ipv6-charter.html] IP Version 6 Working Group (ipv6) Charter). This can cause
some interoperability problems with other operating systems.
2.2.4. Future
[http://www.linux-ipv6.org/] USAGI is now making use of the new Linux kernel
development series 2.5.x to insert all of their current extensions into this
development release. Hopefully the 2.6.x kernel series will contain a true
and up-to-date IPv6 implementation.
<sect1 id="STRIP">
STRIP (Starnode Radio IP) is a protocol designed specifically for
a range of Metricom radio modems for a research project being
conducted by Stanford University called the MosquitoNet Project.
There is a lot of interesting reading here, even if you aren't
directly interested in the project.
The Metricom radios connect to a serial port, employ spread spectrum
technology and are typically capable of about 100kbps. Information on
the Metricom radios is available from the: Metricom Web Server.
At present the standard network tools and utilities do not support the
STRIP driver, so you will have to download some customized tools from
the MosquitoNet web server. Details on what software you need is
available at the: MosquitoNet STRIP Page.
A summary of configuration is that you use a modified slattach program
to set the line discipline of a serial tty device to STRIP and then
configure the resulting `st[0-9]' device as you would for ethernet
with one important exception, for technical reasons STRIP does not
support the ARP protocol, so you must manually configure the ARP
entries for each of the hosts on your subnet. This shouldn't prove too
onerous. STRIP device names are `st0', `st1', etc.... The relevant
kernel compilation options are given below.
Kernel Compile Options:
Network device support --->
[*] Network device support
[*] Radio network interfaces
< > STRIP (Metricom starmode radio IP)
<sect1 id="WaveLAN">
The WaveLAN card is a spread spectrum wireless lan card. The card
looks very like an ethernet card in practice and is configured in much
the same way.
You can get information on the Wavelan card from wavelan.com.
Wavelan device names are `eth0', `eth1', etc.
Kernel Compile Options:
Network device support --->
[*] Network device support
[*] Radio network interfaces
<*> WaveLAN support
<sect1 id="ISDN">
The Integrated Services Digital Network (ISDN) is a series of
standards that specify a general purpose switched digital data
network. An ISDN `call' creates a synchronous point to point data
service to the destination. ISDN is generally delivered on a high
speed link that is broken down into a number of discrete channels.
There are two different types of channels, the `B Channels' which will
actually carry the user data and a single channel called the `D
channel' which is used to send control information to the ISDN
exchange to establish calls and other functions. In Australia for
example, ISDN may be delivered on a 2Mbps link that is broken into 30
discrete 64kbps B channels with one 64kbps D channel. Any number of
channels may be used at a time and in any combination. You could for
example establish 30 separate calls to 30 different destinations at
64kbps each, or you could establish 15 calls to 15 different
destinations at 128kbps each (two channels used per call), or just a
small number of calls and leave the rest idle. A channel may be used
for either incoming or outgoing calls. The original intention of ISDN
was to allow Telecommunications companies to provide a single data
service which could deliver either telephone (via digitised voice) or
data services to your home or business without requiring you to make
any special configuration changes.
There are a few different ways to connect your computer to an ISDN
service. One way is to use a device called a `Terminal Adaptor' which
plugs into the Network Terminating Unit that you telecommunications
carrier will have installed when you got your ISDN service and
presents a number of serial interfaces. One of those interfaces is
used to enter commands to establish calls and configuration and the
others are actually connected to the network devices that will use the
data circuits when they are established. Linux will work in this sort
of configuration without modification, you just treat the port on the
Terminal Adaptor like you would treat any other serial device.
Another way, which is the way the kernel ISDN support is designed for
allows you to install an ISDN card into your Linux machine and then
has your Linux software handle the protocols and make the calls
The Linux kernel has built-in ISDN capabilies. Isdn4linux controls
ISDN PC cards and can emulate a modem with the Hayes command set ("AT"
commands). The possibilities range from simply using a terminal
program to connections via HDLC (using included devices) to full
connection to the Internet with PPP to audio applications.
· FAQ for isdn4linux: http://ww.isdn4linux.de/faq/
Kernel Compile Options:
ISDN subsystem --->
<*> ISDN support
[ ] Support synchronous PPP
[ ] Support audio via ISDN
< > ICN 2B and 4B support
< > PCBIT-D support
< > Teles/NICCY1016PC/Creatix support
The Linux implementation of ISDN supports a number of different types
of internal ISDN cards. These are those listed in the kernel
configuration options:
· ICN 2B and 4B
· Octal PCBIT-D
· Teles ISDN-cards and compatibles
Some of these cards require software to be downloaded to them to make
them operational. There is a separate utility to do this with.
Full details on how to configure the Linux ISDN support is available
from the /usr/src/linux/Documentation/isdn/ directory and an FAQ
dedicated to isdn4linux is available at www.lrz-muenchen.de. (You can
click on the english flag to get an english version).
A note about PPP. The PPP suite of protocols will operate over either
asynchronous or synchronous serial lines. The commonly distributed PPP
daemon for Linux `pppd' supports only asynchronous mode. If you wish
to run the PPP protocols over your ISDN service you need a specially
modified version. Details of where to find it are available in the
documentation referred to above.
<sect1 id="NIS">
The Network Information Service (NIS) provides a simple network lookup
service consisting of databases and processes. Its purpose is to
provide information that has to be known throughout the network to all
machines on the network. For example, it enables an administrator to
allow users access to any machine in a network running NIS without a
password entry existing on each machine; only the main database needs
to be maintained.
<sect1 id="Services">
<sect1 id="Database">
Most databases are supported under Linux, including Oracle, DB2, Sybase, Informix, MySQL, PostgreSQL,
InterBase and Paradox. Databases, and the Structures Query Language they work with, are complex, and this
chapter has neither the space or depth to deal with them. Read the next section on PHP to learn how to set
a dynamically generated Web portal in about five minutes.
We'll be using MySQL because it's extremely fast, capable of handling large databases (200G databases aren't
unheard of), and has recently been made open source. It also works well with PHP. While currently
lacking transaction support (due to speed concerns), a future version of MySQL will have this opt
* Connecting to MS SQL 6.x+ via Openlink/PHP/ODBC mini-HOWTO
* Sybase Adaptive Server Anywhere for Linux HOWTO
<sect1 id="DHCP">
Endeavouring to maintain static IP addressing to maintain static IP addressing
information, such as IP addresses, subnet masks, DNS names and other
information on client machines can be difficult. Documentation becomes lost or
out-of-date, and network reconfigurations require details to be modified
manually on every machine.
DHCP (Dynamic Host Configuration Protocol) solves this problem by providing
arbitrary information (including IP addressing) to clients upon request.
Almost all client OSes support it and it is standard in most large networks.
The impact that it has is most prevalent it eases network administration,
especially in large networks or networks which have lots of mobile users.
2. DHCP protocol
DHCP (Dynamic Host Configuration Protocol), is used to control
vital networking parameters of hosts (running clients) with the help
of a server. DHCP is backward compatible with BOOTP. For more
information see RFC 2131 (old RFC 1541) and other. (See Internet
Resources section at the end of the document). You can also read
<sect1 id="DNS">
Setting Up Your New Domain Mini-HOWTO.
<sect1 id="FTP">
File Transport Protocol (FTP) is an efficient way to transfer files between
machines across networks and clients and servers exist for almost all platforms
making FTP the most convenient (and therefore popular) method of transferring
files. FTP was first developed by the University of California, Berkeley for
inclusion in 4.2BSD (Berkeley Unix). The RFC (Request for Comments)
documents for the protocol is now known as RFC 959 and is available at
There are two typical modes of running an FTP server - either anonymously or
account-based. Anonymous FTP servers are by far the most popular; they allow
any machine to access the FTP server and the files stored on it with the same
permissions. No usernames or passwords are transmitted down the wire.
Account-based FTP allows users to login with real usernames and passwords.
While it provides greater access control than anonymous FTP, transmitting real
usernames and password unencrypted over the Internet is generally avoided for
security reasons.
An FTP client is the userland application that provides access to FTP
servers. There are many FTP clients available. Some are graphical, and
some are text-based.
<sect1 id="LDAP">
Information about installing, configuring, running and maintaining a LDAP
(Lightweight Directory Access Protocol) Server on a Linux machine is
presented on this section. This section also presents details about how to
create LDAP databases, how to add, how to update and how to delete
information on the directory. This paper is mostly based on the University of
Michigan LDAP information pages and on the OpenLDAP Administrator's Guide.
<sect1 id="NFS">
NFS (Network File System)
The TCP/IP suite's equivalent of file sharing. This protocol operates at the Process/Application
layer of the DOD model, similar to the application layer of the OSI model.
SLIP (Serial Line Internet Protocol) and PPP (Point-to-Point Protocol)
Two protocols commonly used for dial-up access to the Internet. They are typically used with
TCP/IP; while SLIP works only with TCP/IP, PPP can be used with other protocols.
SLIP was the first protocol for dial-up Internet access. It opeates at the physical layer of the
OSI model, and provides a simple interface to a UNIX or other dial-up host for Internet access.
SLIP does not provide security, so authentication is handled through prompts before initiating
the SLIP connection.
PPP is a more recent development. It operates at the physical and data link layers of the OSI
model. In addition to the features of SLIP, PPP supports data compression, security (authentication),
and error control. PPP can also dynamically assign network addresses.
Since PPP provides easier authentication and better security, it should be used for dial-up connections
whenever possible. However, you may need to use SLIRP to communicate with dial-up servers (particularly
older UNIC machines and dedicated hardware servers) that don't support PPP.
> Start Config-HOWTO
2.15. Automount Points
If you don't like the mounting/unmounting thing, consider using autofs(5). You tell the autofs daemon what to automount and where starting with a file, /etc/auto.master. Its structure is simple:
In this example you tell autofs to automount media in /misc and /mnt, while the mountpoints are specified in/etc/auto.misc and /etc/auto.mnt. An example of /etc/auto.misc:
# an NFS export
server -romy.buddy.net:/pub/export
# removable media
cdrom -fstype=iso9660,ro:/dev/hdb
Start the automounter. From now on, whenever you try to access the inexistent mount point /misc/cdrom, il will be created and the CD-ROM will be mounted.
>End Config-HOWTO
5.4. Unix Environment
The preferred way to share files in a Unix networking environment is
through NFS. NFS stands for Network File Sharing and it is a protocol
originally developed by Sun Microsystems. It is a way to share files
between machines as if they were local. A client "mounts" a filesystem
"exported" by an NFS server. The mounted filesystem will appear to the
client machine as if it was part of the local filesystem.
It is possible to mount the root filesystem at startup time, thus
allowing diskless clients to boot up and access all files from a
server. In other words, it is possible to have a fully functional
computer without a hard disk.
Coda is a network filesystem (like NFS) that supports disconnected
operation, persistant caching, among other goodies. It's included in
2.2.x kernels. Really handy for slow or unreliable networks and
NFS-related documents:
· http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root.html
· http://metalab.unc.edu/mdw/HOWTO/Diskless-HOWTO.html
· http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root-Client-mini-
· http://www.redhat.com/support/docs/rhl/NFS-Tips/NFS-Tips.html
· http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
CODA can be found at: http://www.coda.cs.cmu.edu/
5.4. Unix Environment
The preferred way to share files in a Unix networking environment is
through NFS. NFS stands for Network File Sharing and it is a protocol
originally developed by Sun Microsystems. It is a way to share files
between machines as if they were local. A client "mounts" a filesystem
"exported" by an NFS server. The mounted filesystem will appear to the
client machine as if it was part of the local filesystem.
It is possible to mount the root filesystem at startup time, thus
allowing diskless clients to boot up and access all files from a
server. In other words, it is possible to have a fully functional
computer without a hard disk.
Coda is a network filesystem (like NFS) that supports disconnected
operation, persistant caching, among other goodies. It's included in
2.2.x kernels. Really handy for slow or unreliable networks and
NFS-related documents:
· http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root.html
· http://metalab.unc.edu/mdw/HOWTO/Diskless-HOWTO.html
· http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root-Client-mini-
· http://www.redhat.com/support/docs/rhl/NFS-Tips/NFS-Tips.html
· http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
CODA can be found at: http://www.coda.cs.cmu.edu/
Samba is the Linux implementation of SMB under Linux. NFS is the Unix equivalent - a way to import and
export local files to and from remote machines. Like SMB, NFS sends information including user
passwords unencrypted, is its best to limit it to within your local network.
As you know, all storage in Linux is visible within a single tree structure, and new hard disks,
CD-ROMs, Zip drives and other spaces are mounted on a particular directory. NFS shares are also
attached to the system in this manner. NFS is included in most Linux kernels, and the tools
necessary to be an NFS server and client come in most distributions.
However, users of Linux kernel 2.2 hoping to use NFS may wish to upgrade to
kernel 2.4; while the earlier version of Linux NFS did work well, it was far slower than
most other Unix implementations of this protocol.
>Start Config-HOWTO
2.15. Automount Points
If you don't like the mounting/unmounting thing, consider using autofs(5). You tell the autofs daemon what to automount and where starting with a file, /etc/auto.master. Its structure is simple:
In this example you tell autofs to automount media in /misc and /mnt, while the mountpoints are specified in/etc/auto.misc and /etc/auto.mnt. An example of /etc/auto.misc:
# an NFS export
server -romy.buddy.net:/pub/export
# removable media
cdrom -fstype=iso9660,ro:/dev/hdb
Start the automounter. From now on, whenever you try to access the inexistent mount point /misc/cdrom, il will be created and the CD-ROM will be mounted.
>End Config-HOWTO
> NFS-Root mini-HOWTO
> NFS-Root-Client Mini-HOWTO
2. Introduction
2.1. What is NFS?
The Network File System (NFS) was developed to allow machines to mount a disk
partition on a remote machine as if it were on a local hard drive. This
allows for fast, seamless sharing of files across a network.
It also gives the potential for unwanted people to access your hard drive
over the network (and thereby possibly read your email and delete all your
files as well as break into your system) if you set it up incorrectly. So
please read the Security section of this document carefully if you intend to
implement an NFS setup.
There are other systems that provide similar functionality to NFS. Samba
([http://www.samba.org] http://www.samba.org) provides file services to
Windows clients. The Andrew File System from IBM ([http://www.transarc.com/
Product/EFS/AFS/index.html] http://www.transarc.com/Product/EFS/AFS/
index.html), recently open-sourced, provides a file sharing mechanism with
some additional security and performance features. The Coda File System
([http://www.coda.cs.cmu.edu/] http://www.coda.cs.cmu.edu/) is still in
development as of this writing but is designed to work well with disconnected
clients. Many of the features of the Andrew and Coda file systems are slated
for inclusion in the next version of NFS (Version 4) ([http://www.nfsv4.org]
http://www.nfsv4.org). The advantage of NFS today is that it is mature,
standard, well understood, and supported robustly across a variety of
<sect1 id="Samba">
8.11. SAMBA - `NetBEUI', `NetBios', `CIFS' support.
SAMBA is an implementation of the Session Management Block protocol.
Samba allows Microsoft and other systems to mount and use your disks
and printers.
SAMBA and its configuration are covered in detail in the SMB-HOWTO.
5.2. Windows Environment
Samba is a suite of applications that allow most Unices (and in
particular Linux) to integrate into a Microsoft network both as a
client and a server. Acting as a server it allows Windows 95, Windows
for Workgroups, DOS and Windows NT clients to access Linux files and
printing services. It can completely replace Windows NT for file and
printing services, including the automatic downloading of printer
drivers to clients. Acting as a client allows the Linux workstation to
mount locally exported windows file shares.
According to the SAMBA Meta-FAQ:
"Many users report that compared to other SMB implementations Samba is more stable,
faster, and compatible with more clients. Administrators of some large installations say
that Samba is the only SMB server available which will scale to many tens of thousands
of users without crashing"
· <ulink url="http://samba.anu.edu.au/samba/">Samba project home page</ulink>
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/SMB-HOWTO.html">SMB HOWTO</ulink>
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/Printing-HOWTO.html">Printing HOWTO</ulink>
A LanManager like file and printer server for Unix. The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol. This package contains all the components necessary to turn your Debian GNU/Linux box into a powerful file and printer server. Currently, the Samba Debian packages consist of the following: samba - A LanManager like file and printer server for Unix. samba-common - Samba common files used by both the server and the client. smbclient - A LanManager like simple client for Unix. swat - Samba Web Administration Tool samba-doc - Samba documentation. smbfs - Mount and umount commands for the smbfs (kernels 2.0.x and above). libpam-smbpass - pluggable authentication module for SMB password database libsmbclient - Shared library that allows applications to talk to SMB servers libsmbclient-dev - libsmbclient shared libraries winbind: Service to resolve user and group information from Windows NT servers It is possible to install a subset of these packages depending on your particular needs. For example, to access other SMB servers you should only need the smbclient and samba-common packages. From Debian 3.0r0 APT
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
A lot of emphasis has been placed on peaceful coexistence between UNIX and Windows. Unfortunately, the two systems come from very different cultures and they have difficulty getting along without mediation. ...and that, of course, is Samba&apos;s job. Samba &lt;http://samba.org/&gt; runs on UNIX platforms, but speaks to Windows clients like a native. It allows a UNIX system to move into a Windows ``Network Neighborhood&apos;&apos; without causing a stir. Windows users can happily access file and print services without knowing or caring that those services are being offered by a UNIX host. All of this is managed through a protocol suite which is currently known as the ``Common Internet File System,&apos;&apos; or CIFS &lt;http://www.cifs.com&gt;. This name was introduced by Microsoft, and provides some insight into their hopes for the future. At the heart of CIFS is the latest incarnation of the Server Message Block (SMB) protocol, which has a long and tedious history. Samba is an open source CIFS implementation, and is available for free from the http://samba.org/ mirror sites. Samba and Windows are not the only ones to provide CIFS networking. OS/2 supports SMB file and print sharing, and there are commercial CIFS products for Macintosh and other platforms (including several others for UNIX). Samba has been ported to a variety of non-UNIX operating systems, including VMS, AmigaOS, and NetWare. CIFS is also supported on dedicated file server platforms from a variety of vendors. In other words, this stuff is all over the place. From Rute-Users-Guide
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
Samba adds Windows-networking support to UNIX. Whereas NFS is the most popular protocol for sharing files among UNIX machines, SMB is the most popular protocol for sharing files among Windows machines. The Samba package adds the ability for UNIX systems to interact with Windows systems. Key point: The Samba package comprises the following: smbd The Samba service allowing other machines (often Windows) to read files from a UNIX machine. nmbd Provides support for NetBIOS. Logically, the SMB protocol is layered on top of NetBIOS, which is in turn layered on top of TCP/IP. smbmount An extension to the mount program that allows a UNIX machine to connect to another machine implicitly. Files can be accessed as if they were located on the local machines. smbclient Allows files to be access through SMB in an explicity manner. This is a command-line tool much like the FTP tool that allows files to be copied. Unlike smbmount, files cannot be accessed as if they were local. smb.conf The configuration file for Samba. From Hacking-Lexicon
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
Samba Authenticated Gateway HOWTO
Ricardo Alexandre Mattar
v1.2, 2004-05-21
<sect1 id="SSH">
The Secure Shell, or SSH, provides a way of running command line and
graphical applications, and transferring files, over an encrypted
connection. SSH uses up to 2,048-bit encryption with a variety of
cryptographic schemes to make sure that if a cracker intercepts your
connection, all they can see is useless gibberish. It is both a
protocol and a suite of small command line applications which can be
used for various functions.
SSH replaces the old Telnet application, and can be used for secure
remote administration of machines across the Internet. However, it
has more features.
SSH increases the ease of running applications remotely by setting up
permissions automatically. If you can log into a machine, it allows you
to run a graphical application on it, unlike Telnet, which requires users
to type lots of geeky xhost and xauth commands. SSH also has inbuild
compression, which allows your graphic applications to run much faster
over the network.
SCP (Secure Copy) and SFTP (Secure FTP) allow transfer of files over the
remote link, either via SSH's own command line utilities or graphical tools
like Gnome's GFTP. Like Telnet, SSH is cross-platform. You can find SSH
servers and clients for Linux, Unix, all flavours of Windows, BeOS, PalmOS,
Java and Embedded OSes used in routers.
Encrypted remote shell sessions are available through SSH
(<ulink url="http://www.ssh.fi/sshprotocols2/index.html"/>)
thus effectively allowing secure remote administration.
<sect1 id="Telnet">
Created in the early 1970s, Telnet provides a method of running command
line applications on a remote computer as if that person were actually at
the remote site. Telnet is one of the most powerful tools for Unix, allowing
for true remote administration. It is also an interesting program from the
point of view of users, because it allows remote access to all their files
and programs from anywhere in the Internet. Combined with an X server (as
well as some rather arcane manipluation of authentication 'cookies' and
'DISPLAY' environment variables), there is no difference (apart from the
delay) between being at the console or on the other side of the planet.
However, since the 'telnet' protocol sends data 'en-clair' and there are
now more efficient protocols with features such as built-in
compression and 'tunneling' which allows for greater ease of usage of graphical
applications across the network as well as more secure connections it is an
effectively a dead protocol. Like the 'r' (such as rlogin and rsh) related
protocols it is still used though, within internal networks for the reasons
of ease of installation and use as well as backwards compatibility and also
as a means by which to configure networking devices such as routers
and firewalls.
Please consult RFC 854 for further details behind its implementation.
· <ulink url="http://metalab.unc.edu/pub/Linux/system/network/telnet/">
Telnet related software</ulink>
<sect1 id="TFTP">
Trivial File Transfer Protocol TFTP is a bare-bones protocol used by
devices that boot from the network. It is runs on top of UDP, so it
doesn&apos;t require a real TCP/IP stack. Misunderstanding: Many people
describe TFTP as simply a trivial version of FTP without authentication.
This misses the point. The purpose of TFTP is not to reduce the complexity
of file transfer, but to reduce the complexity of the underlying TCP/IP
stack so that it can fit inside boot ROMs. Key point: TFTP is almost
always used with BOOTP. BOOTP first configures the device, then TFTP
transfers the boot image named by BOOTP which is then used to boot the
device. Key point: Many systems come with unnecessary TFTP servers. Many
TFTP servers have bugs, like the backtracking problem or buffer overflows.
As a consequence, many systems can be exploited with TFTP even though
virtually nobody really uses it. Key point: A TFTP file transfer client
is built into many operating systems (UNIX, Windows, etc....). These clients
are often used to download rootkits when being broken into. Therefore,
removing the TFTP client should be part of your hardening procedure.
For further details on the TFTP protocol please see RFC's 1350, 1782,
1783, 1784, and 1785.
Most likely, you'll interface with the TFTP protocol using the TFTP command
line client, 'tftp', which allows users to transfer files to and from a
remote machine. The remote host may be specified on the command line, in
which case tftp uses host as the default host for future transfers.
Setting up TFTP is almost as easy as DHCP.
First install from the rpm package:
# rpm -ihv tftp-server-*.rpm
Create a directory for the files:
# mkdir /tftpboot
# chown nobody:nobody /tftpboot
The directory /tftpboot is owned by user nobody, because this is the default
user id set up by tftpd to access the files. Edit the file /etc/xinetd.d/tftp
to look like the following:
service tftp
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /tftpboot
disable = no
per_source = 11
cps = 100 2
The changes from the default file are the parameter disable = no (to enable
the service) and the server argument -c. This argument allows for the
creation of files, which is necessary if you want to save boot or disk
images. You may want to make TFTP read only in normal operation.
Then reload xinetd:
/etc/rc.d/init.d/xinetd reload
You can use the tftp command, available from the tftp (client) rpm package,
to test the server. At the tftp prompt, you can issue the commands put and
<sect1 id="VNC">
8.13. Tunnelling, mobile IP and virtual private networks
The Linux kernel allows the tunnelling (encapsulation) of protocols.
It can do IPX tunnelling through IP, allowing the connection of two
IPX networks through an IP only link. It can also do IP-IP tunnelling,
which it is essential for mobile IP support, multicast support and
amateur radio. (see
Mobile IP specifies enhancements that allow transparent routing of IP
datagrams to mobile nodes in the Internet. Each mobile node is always
identified by its home address, regardless of its current point of
attachment to the Internet. While situated away from its home, a
mobile node is also associated with a care-of address, which provides
information about its current point of attachment to the Internet.
The protocol provides for registering the care-of address with a home
agent. The home agent sends datagrams destined for the mobile node
through a tunnel to the care-of address. After arriving at the end of
the tunnel, each datagram is then delivered to the mobile node.
Point-to-Point Tunneling Protocol (PPTP) is a networking technology
that allows the use of the Internet as a secure virtual private
network (VPN). PPTP is integrated with the Remote Access Services
(RAS) server which is built into Windows NT Server. With PPTP, users
can dial into a local ISP, or connect directly to the Internet, and
access their network as if they were at their desks. PPTP is a closed
protocol and its security has recently being compromised. It is highly
recomendable to use other Linux based alternatives, since they rely on
open standards which have been carefully examined and tested.
· A client implementation of the PPTP for Linux is available here
<ulink url="http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/"/>
· More on Linux PPTP can be found here
<ulink url="http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html"/>
Mobile IP:
· <ulink url="http://www.hpl.hp.com/personal/Jean_Tourrilhes/MobileIP/mip.html"/>
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.12"/>
Virtual Private Networks related documents:
· <ulink url="http://metalab.unc.edu/mdw/HOWTO/mini/VPN.html"/>
· <ulink url="http://sites.inka.de/sites/bigred/devel/cipe.html"/>
7.4. VNC
VNC stands for Virtual Network Computing. It is, in essence, a remote
display system which allows one to view a computing 'desktop'
environment not only on the machine where it is running, but from
anywhere on the Internet and from a wide variety of machine
architectures. Both clients and servers exist for Linux as well as for
many other platforms. It is possible to execute MS-Word in a Windows
NT or 95 machine and have the output displayed in a Linux machine. The
opposite is also true; it is possible to execute an application in a
Linux machine and have the output displayed in any other Linux or
Windows machine. One of the available clients is a Java applet,
allowing the remote display to be run inside a web browser. Another
client is a port for Linux using the SVGAlib graphics library,
allowing 386s with as little as 4 MB of RAM to become fully functional
· <ulink url="http://www.orl.co.uk/vnc/">VNC web site</ulink>
Virtual Network Computing (VNC) allows a user to operate a session running on another machine.
Although Linux and all other Unix-like OSes already have this functionality built in, VNC
provides further advantages because it's cross-platform, running on Linux, BSD, Unix, Win32,
MacOS, and PalmOS. This makes it far more versatile.
For example, let's assume the machine that you are attempting to connect to is running Linux.
You can use VNC to access applications running on that other Linux desktop. You can also use
VNC to provide technical support to users on Window's based machines by taking control of
their desktops from the comfort of your server room. VNC is usually installed as seperate
packages for the client and server, typically named 'vnc' and 'vnc-server'.
VNC uses screen numbers to connect clients to servers. This is because Unix machines allow
multiple graphical sessions to be stated simultaneously (check this out by logging in to a
virtual terminal and typing startx -- :1).
For platforms (Windows, MacOS, Palm, etc) which don't have this capability, you'll connect
to 'screen 0' and take over the session of the existing user. For Unix systems, you'll need
to specify a higher number and receive a new desktop.
If you prefer the Windows-style approach where the VNC client takes over the currently
running display, you can use x0rfbserver - see the sidebox below.
VNC Servers and Clients
On Linux, the VNC server (which allows the machine to be used remotely) is actually
run as a replacement X server. To be able to start a VNC session to a machine, log
into it and run vncserver. You'll be prompted for a password - in future you can
change this password with the vncpasswd command. After you enter the password, you'll
be told the display number of the newly created machine.
It is possible to control a remote macine by using the vncviewer command. If it is
typed on its own it will prompt for a remote machine, or you can use:
vncviewer [host]:[screen-number]
> The VPN HOWTO, deprecated!!!!
> Linux VPN Masquerade HOWTO
10. References
10.1. Web Sites
<ulink url="http://sites.inka.de/~bigred/devel/cipe.html">Cipe Home Page</ulink>
<ulink url="http://ipmasq.cjb.net">Masq Home Page</ulink>
<ulink url="http://samba.anu.edu.au">Samba Home Page</ulink>
<ulink url="http://www.linuxhq.com">Linux HQ</ulink>
---great site for lots of linux info
10.2. Documentation
cipe.info: info file included with cipe distribution
Firewall HOWTO, by Mark Grennan, markg@netplus.net
IP Masquerade mini-HOWTO,by Ambrose Au, ambrose@writeme.com
IPChains-Howto, by Paul Russell, Paul.Russell@rustcorp.com.au
<sect1 id="Web-Serving">
The World Wide Web provides a simple method of publishing and linking
information across the Internet, and is responsible for popularising
the Internet to its current level. In the simplest case, a Web client
(or browser), such as Netscape or Internet Explorer, connects with a
Web server using a simple request/response protocol called HTTP
(Hypertext Transfer Protocol), and requests HTML (Hypertext Markup
Language) pages, images, Flash and other objects.
In mode modern situations, the Web server can also geneate pages
dynamically based on information returned from the user. Either way
setting up your own Web server is extremely simple. There are many
choices for Web serving under Linux. Some servers are very mature,
such as Apache, and are perfect for small and large sites alike.
Other servers programmed to be light and fast, and to have only a
limited feature set to reduce complexity. A search on freshmeat.net
will reveal a multitude of servers.
Most Linux distributions include Apache <ulink url="http://www.apache.org"/>.
Apache is the number one server on the internet according to
http://www.netcraft.co.uk/survey/ . More than a half of all internet
sites are running Apache or one of it derivatives. Apache's advantages
include its modular design, stability and speed. Given the appropriate
hardware and configuration it can support the highest loads: Yahoo,
Altavista, GeoCities, and Hotmail are based on customized versions of
this server.
Optional support for SSL (which enables secure transactions) is also
available at:
· http://www.apache-ssl.org/
· http://raven.covalent.net/
· http://www.c2.net/
Dynamic Web content generation
Web scripting languages are even more common on Linux than databases
- basically, every language is available. This includes CGI,
PHP 3 and 4, Perl, JSP, ASP (via closed source applications from
Chill!soft and Halycon Software) and ColdFusion.
PHP is an open source scripting language designed to churn out
dynamically produced Web content ranging from databases to browsers.
This inludes not only HTML, but also graphics, Macromedia Flash and
XML-based information. The latest versions of PHP provide impressive
speed improvements, install easily from packages and can be set up
quickly. PHP is the most popular Apache module and is used by over
two million sites, including Amazon.com, US telco giant Sprint,
Xoom Networks and Lycos. And unlike most other server side scripting
languages, developers (or those that employ them) can add their own
functions into the source to improve it. Supported databases include
those in the Database serving section and most ODBC compliant
databases. The language itself borrows its structure from Perl and C.
· http://metalab.unc.edu/mdw/HOWTO/WWW-HOWTO.html
· http://metalab.unc.edu/mdw/HOWTO/Virtual-Services-HOWTO.html
· http://metalab.unc.edu/mdw/HOWTO/Intranet-Server-HOWTO.html
· <ulink url="http://www.linuxlinks.com/Software/Internet/WebServers/">Web servers for Linux</ulink>
<sect1 id="X11">
The X Window System was developed at MIT in the late 1980s, rapidly
becoming the industry standard windowing system for Unix graphics
workstations. The software is freely available, very versatile, and is
suitable for a wide range of hardware platforms. Any X environment
consists of two distinct parts, the X server and one or more X
clients. It is important to realise the distinction between the server
and the client. The server controls the display directly and is
responsible for all input/output via the keyboard, mouse or display.
The clients, on the other hand, do not access the screen directly -
they communicate with the server, which handles all input and output.
It is the clients which do the "real" computing work - running
applications or whatever. The clients communicate with the server,
causing the server to open one or more windows to handle input and
output for that client.
In short, the X Window System allows a user to log in into a remote
machine, execute a process (for example, open a web browser) and have
the output displayed on his own machine. Because the process is
actually being executed on the remote system, very little CPU power is
needed in the local one. Indeed, computers exist whose primary purpose
is to act as pure X servers. Such systems are called X terminals.
A free port of the X Window System exists for Linux and can be found
at: Xfree <ulink url="http://www.xfree86.org/"/>. It is included in most Linux
For further information regarding X please see:
X11, LBX, DXPC, NXServer, SSH, MAS
Related HOWTOs:
· Remote X Apps HOWTO
· XDM and X Terminal mini-HOWTO
· The Linux XFree86 HOWTO
· ATI R200 + XFree86 4.x mini-HOWTO
· Second Mouse in X mini-HOWTO
· Linux Touch Screen HOWTO
· XFree86 Video Timings HOWTO
· Linux XFree-to-Xinside mini-HOWTO
· XFree Local Multi-User HOWTO
· Using Xinerama to MultiHead XFree86 V. 4.0+
· Connecting X Terminals to Linux Mini-HOWTO
· How to change the title of an xterm
· X Window System Architecture Overview HOWTO
· The X Window User HOWTO
<sect1 id="Email">
Alongside the Web, mail is the top reason for the popularity of the Internet. Email is an inexpensive and fast method of time-shifted messaging which, much like the Web, is actually based around sending and receiving plain text files. The protocol used is called the Simple Mail Transfer Protocol (SMTP). The server programs that implement SMTP to move mail from one server to another are called Mail Transfer Agents (MTAs).
In times gone by, users would Telnet into the SMTP server itself and use a command line program like elm or pine to check ther mail. These days, users run email clients like Netscape, Evolution, Kmail or Outlook on their desktop to check their email off a local SMTP server. Additional protocols like POP3 and IMAP4 are used between the SMTP server and desktop mail client to allow clients to manipulate files on, and download from, their local mail server. The programs that implement POP3 and IMAP4 are called Mail Delivery Agents (MDAs). They are generally separate from MTAs.
* Linux Mail-Queue mini-HOWTO
* The Linux Mail User HOWTO
<sect1 id="Proxy-Caching">
8.11. Proxy Server
The term proxy means "to do something on behalf of someone else." In
networking terms, a proxy server computer can act on the behalf of
several clients. An HTTP proxy is a machine that receives requests for
web pages from another machine (Machine A). The proxy gets the page
requested and returns the result to Machine A. The proxy may have a
cache with the requested pages, so if another machine asks for the
same page the copy in the cache will be returned instead. This allows
efficient use of bandwidth resources and less response time. As a side
effect, as client machines are not directly connected to the outside
world this is a way of securing the internal network. A well-
configured proxy can be as effective as a good firewall.
Several proxy servers exist for Linux. One popular solution is the
Apache proxy module. A more complete and robust implementation of an
HTTP proxy is SQUID.
· <ulink url="http://www.apache.org">Apache</ulink>
· <ulink url="http://squid.nlanr.net/">Squid</ulink>
When a web browser retreives information from the Internet, it stores a copy of that information
in a cache on the local machine. When a user requests that information in future, the browser will check to seee if the original source has updated; if not, the browser will simply use the cached version rather than fetch the data again. By doing this, there is less information that needs to be downloadded, which makes the connection seem responsive to users and reduces bandwidth costs. But if there are many browsers accessing the Internet through the same connection, it makes better sense to have a single, centralised cache so that once a single machine has requested some information, the next machine to try and download that information can also access it more quickly. This is the theory behind the proxy cache. Squid is by far the most popular cache used on the Web, and can also be used to accelerate Web serving.
Although Squid is useful for an ISP, large businesses or even a small office can afford to use Squid to speed up transfers and save money, and it can easily be used to the same effect in a home with a few flatmates sharing a cable or ADSL connection.
Traffic Control HOWTO
ProxyARP Subnetting HOWTO
<sect1 id="NTP">
Time synchorinisation is generally considered important in the computing
environment. There are a number of reasons why this is important: it makes
sure your scheduled cron tasks on your various servers run well together,
it allows better use of log files between various machines to help
troubleshoot problems, and synchronised, correct logs are also useful if
your servers are ever attacked by crackers (either to report the attempt
to organisations such as AusCERT or in court to use against the bad guys).
Users who have overclocked their machine might also use time synchronisation
techniques to bring the time on their machines back to an accurate figure
at regular intervals, say every 20 minutes of so. This section contains an
overview of time keeping under Linux and some information about NTP, a
protocol which can be used to accurately reset the time across a computer
2. How Linux Keeps Track of Time
2.1. Basic Strategies
A Linux system actually has two clocks: One is the battery powered
"Real Time Clock" (also known as the "RTC", "CMOS clock", or "Hardware
clock") which keeps track of time when the system is turned off but is
not used when the system is running. The other is the "system clock"
(sometimes called the "kernel clock" or "software clock") which is a
software counter based on the timer interrupt. It does not exist when
the system is not running, so it has to be initialized from the RTC
(or some other time source) at boot time. References to "the clock" in
the ntpd documentation refer to the system clock, not the RTC.
The two clocks will drift at different rates, so they will gradually
drift apart from each other, and also away from the "real" time. The
simplest way to keep them on time is to measure their drift rates and
apply correction factors in software. Since the RTC is only used when
the system is not running, the correction factor is applied when the
clock is read at boot time, using clock(8) or hwclock(8). The system
clock is corrected by adjusting the rate at which the system time is
advanced with each timer interrupt, using adjtimex(8).
A crude alternative to adjtimex(8) is to have chron run clock(8) or
hwclock(8) periodically to sync the system time to the (corrected)
RTC. This was recommended in the clock(8) man page, and it works if
you do it often enough that you don't cause large "jumps" in the
system time, but adjtimex(8) is a more elegant solution. Some
applications may complain if the time jumps backwards.
The next step up in accuracy is to use a program like ntpd to read the
time periodically from a network time server or radio clock, and
continuously adjust the rate of the system clock so that the times
always match, without causing sudden "jumps" in the system time. If
you always have a network connection at boot time, you can ignore the
RTC completely and use ntpdate (which comes with the ntpd package) to
initialize the system clock from a time server-- either a local server
on a LAN, or a remote server on the internet. But if you sometimes
don't have a network connection, or if you need the time to be
accurate during the boot sequence before the network is active, then
you need to maintain the time in the RTC as well.
2.2. Potential Conflicts
It might seem obvious that if you're using a program like ntpd, you
would want to sync the RTC to the (corrected) system clock. But this
turns out to be a bad idea if the system is going to stay shut down
longer than a few minutes, because it interferes with the programs
that apply the correction factor to the RTC at boot time.
If the system runs 24/7 and is always rebooted immediately whenever
it's shut down, then you can just set the RTC from the system clock
right before you reboot. The RTC won't drift enough to make a
difference in the time it takes to reboot, so you don't need to know
its drift rate.
Of course the system may go down unexpectedly, so some versions of the
kernel sync the RTC to the system clock every 11 minutes if the system
clock has been adjusted by another program. The RTC won't drift enough
in 11 minutes to make any difference, but if the system is down long
enough for the RTC to drift significantly, then you have a problem:
the programs that apply the drift correction to the RTC need to know
*exactly* when it was last reset, and the kernel doesn't record that
information anywhere.
Some unix "traditionalists" might wonder why anyone would run a linux
system less than 24/7, but some of us run dual-boot systems with
another OS running some of the time, or run Linux on laptops that have
to be shut down to conserve battery power when they're not being used.
Other people just don't like to leave machines running unattended for
long periods of time (even though we've heard all the arguments in
favor of it). So the "every 11 minutes" feature becomes a bug.
This "feature/bug" appears to behave differently in different versions
of the kernel (and possibly in different versions of xntpd and ntpd as
well), so if you're running both ntpd and hwclock you may need to test
your system to see what it actually does. If you can't keep the kernel
from resetting the RTC, you might have to run without a correction
factor on the RTC.
The part of the kernel that controls this can be found in
/usr/src/linux-2.0.34/arch/i386/kernel/time.c (where the version
number in the path will be the version of the kernel you're running).
If the variable time_status is set to TIME_OK then the kernel will
write the system time to the RTC every 11 minutes, otherwise it leaves
the RTC alone. Calls to adjtimex(2) (as used by ntpd and timed, for
example) may turn this on. Calls to settimeofday(2) will set
time_status to TIME_UNSYNC, which tells the kernel not to adjust the
RTC. I have not found any real documentation on this.
I've heard reports that some versions of the kernel may have problems
with "sleep modes" that shut down the CPU to save energy. The best
solution is to keep your kernel up to date, and refer any problems to
the people who maintain the kernel.
If you get bizarre results from the RTC you may have a hardware
problem. Some RTC chips include a lithium battery that can run down,
and some motherboards have an option for an external battery (be sure
the jumper is set correctly). The same battery maintains the CMOS RAM,
but the clock takes more power and is likely to fail first. Bizarre
results from the system clock may mean there is a problem with
2.3. Should the RTC use Local Time or UTC, and What About DST?
The Linux "system clock" actually just counts the number of seconds
past Jan 1, 1970, and is always in UTC (or GMT, which is technically
different but close enough that casual users tend to use both terms
interchangeably). UTC does not change as DST comes and goes-- what
changes is the conversion between UTC and local time. The translation
to local time is done by library functions that are linked into the
application programs.
This has two consequences: First, any application that needs to know
the local time also needs to know what time zone you're in, and
whether DST is in effect or not (see the next section for more on time
zones). Second, there is no provision in the kernel to change either
the system clock or the RTC as DST comes and goes, because UTC doesn't
change. Therefore, machines that only run Linux should have the RTC
set to UTC, not local time.
However, many people run dual-boot systems with other OS's that expect
the RTC to contain the local time, so hwclock needs to know whether
your RTC is in local time or UTC, which it then converts to seconds
past Jan 1, 1970 (UTC). This still does not provide for seasonal
changes to the RTC, so the change must be made by the other OS (this
is the one exception to the rule against letting more than one program
change the time in the RTC).
Unfortunately, there are no flags in the RTC or the CMOS RAM to
indicate standard time vs DST, so each OS stores this information
someplace where the other OS's can't find it. This means that hwclock
must assume that the RTC always contains the correct local time, even
if the other OS has not been run since the most recent seasonal time
If Linux is running when the seasonal time change occurs, the system
clock is unaffected and applications will make the correct conversion.
But if linux has to be rebooted for any reason, the system clock will
be set to the time in the RTC, which will be off by one hour until the
other OS (usually Windows) has a chance to run.
There is no way around this, but Linux doesn't crash very often, so
the most likely reason to reboot on a dual-boot system is to run the
other OS anyway. But beware if you're one of those people who shuts
down Linux whenever you won't be using it for a while-- if you haven't
had a chance to run the other OS since the last time change, the RTC
will be off by an hour until you do.
Some other documents have stated that setting the RTC to UTC allows
Linux to take care of DST properly. This is not really wrong, but it
doesn't tell the whole story-- as long as you don't reboot, it does
not matter which time is in the RTC (or even if the RTC's battery
dies). Linux will maintain the correct time either way, until the next
reboot. In theory, if you only reboot once a year (which is not
unreasonable for Linux), DST could come and go and you'd never notice
that the RTC had been wrong for several months, because the system
clock would have stayed correct all along. But since you can't predict
when you'll want to reboot, it's better to have the RTC set to UTC if
you're not running another OS that requires local time.
The Dallas Semiconductor RTC chip (which is a drop-in replacement for
the Motorola chip used in the IBM AT and clones) actually has the
ability to do the DST conversion by itself, but this feature is not
used because the changeover dates are hard-wired into the chip and
can't be changed. Current versions change on the first Sunday in April
and the last Sunday in October, but earlier versions used different
dates (and obviously this doesn't work in countries that use other
dates). Also, the RTC is often integrated into the motherboard's
"chipset" (rather than being a separate chip) and I don't know if they
all have this ability.
2.4. How Linux keeps Track of Time Zones
You probably set your time zone correctly when you installed Linux.
But if you have to change it for some reason, or if the local laws
regarding DST have changed (as they do frequently in some countries),
then you'll need to know how to change it. If your system time is off
by some exact number of hours, you may have a time zone problem (or a
DST problem).
Time zone and DST information is stored in /usr/share/zoneinfo (or
/usr/lib/zoneinfo on older systems). The local time zone is
determined by a symbolic link from /etc/localtime to one of these
files. The way to change your timezone is to change the link. If
your local DST dates have changed, you'll have to edit the file.
You can also use the TZ environment variable to change the current
time zone, which is handy of you're logged in remotely to a machine in
another time zone. Also see the man pages for tzset and tzfile.
This is nicely summarized at
<ulink url="http://www.linuxsa.org.au/tips/time.html"/>
2.5. The Bottom Line
If you don't need sub-second accuracy, hwclock(8) and adjtimex(8) may
be all you need. It's easy to get enthused about time servers and
radio clocks and so on, but I ran the old clock(8) program for years
with excellent results. On the other hand, if you have several
machines on a LAN it can be handy (and sometimes essential) to have
them automatically sync their clocks to each other. And the other
stuff can be fun to play with even if you don't really need it.
On machines that only run Linux, set the RTC to UTC (or GMT). On
dual-boot systems that require local time in the RTC, be aware that if
you have to reboot Linux after the seasonal time change, the clock may
be temporarily off by one hour, until you have a chance to run the
other OS. If you run more than two OS's, be sure only one of them is
trying to adjust for DST.
NTP is a standard method of synchronising time on a client from a remote
server across the network. NTP clients are typically installed on servers.
NTP is a standard method of synchronising time across a network of
computers. NTP clients are typically installed on servers.
Most business class ISPs provide NTP servers. Otherwise, there are a
number of free NTP servers in Australia:
The Univeristy of Melbourne ntp.cs.mu.oz.au
University of Adelaide ntp.saard.net
CSIRO Marine Labs, Tasmania ntp.ml.csiro.au
CSIRO National Measurements Laboratory, Sydney ntp.syd.dms.csiro.au
Xntpd (NTPv3) has been replaced by ntpd (NTPv4); the earlier version
is no longer being maintained.
Ntpd is the standard program for synchronizing clocks across a
network, and it comes with a list of public time servers you can
connect to. It can be a little more complicated to set up, but if
you're interested in this kind of thing I highly recommend that you
take a look at it.
The "home base" for information on ntpd is the NTP website at
<ulink url="http://www.eecis.udel.edu/~ntp/"/> which also includes links to all
kinds of interesting time-related stuff (including software for other
OS's). Some linux distributions include ntpd on the CD. There is a
list of public time servers at
<ulink url="http://www.eecis.udel.edu/~mills/ntp/clock2.html"/>.
A relatively new feature in ntpd is a "burst mode" which is designed
for machines that have only intermittent dial-up access to the
Ntpd includes drivers for quite a few radio clocks (although some
appear to be better supported than others). Most radio clocks are
designed for commercial use and cost thousands of dollars, but there
are some cheaper alternatives (discussed in later sections). In the
past most were WWV or WWVB receivers, but now most of them seem to be
GPS receivers. NIST has a PDF file that lists manufacturers of radio
clocks on their website at
<ulink url="http://www.boulder.nist.gov/timefreq/links.htm"/> (near the bottom of
the page). The NTP website also includes many links to manufacturers
of radio clocks at <ulink url="http://www.eecis.udel.edu/~ntp/hardware.htm"/> and
<ulink url="http://www.eecis.udel.edu/~mills/ntp/refclock.htm"/>. Either list may
or may not be up to date at any given time :-). The list of drivers
for ntpd is at
<ulink url="http://www.eecis.udel.edu/~ntp/ntp_spool/html/refclock.htm"/>.
Ntpd also includes drivers for several dial-up time services. These
are all long-distance (toll) calls, so be sure to calculate the effect
on your phone bill before using them.
3.4. Chrony
Xntpd was originally written for machines that have a full-time
connection to a network time server or radio clock. In theory it can
also be used with machines that are only connected intermittently, but
Richard Curnow couldn't get it to work the way he wanted it to, so he
wrote "chrony" as an alternative for those of us who only have network
access when we're dialed in to an ISP (this is the same problem that
ntpd's new "burst mode" was designed to solve). The current version
of chrony includes drift correction for the RTC, for machines that are
turned off for long periods of time.
You can get more information from Richard Curnow's website at
<ulink url="http://www.rrbcurnow.freeuk.com/chrony"/> or <ulink url="http://go.to/chrony"/>.
There are also two chrony mailing lists, one for announcements and one
for discussion by users. For information send email to chrony-users-
subscribe@egroups.com or chrony-announce-subscribe@egroups.com
Chrony is normally distributed as source code only, but Debian has
been including a binary in their "unstable" collection. The source
file is also available at the usual Linux archive sites.
3.5. Clockspeed
Another option is the clockspeed program by DJ Bernstein. It gets the
time from a network time server and simply resets the system clock
every three seconds. It can also be used to synchronize several
machines on a LAN.
I've sometimes had trouble reaching his website at
<ulink url="http://Cr.yp.to/clockspeed.html"/>, so if you get a DNS error try again
on another day. I'll try to update this section if I get some better
You must be logged in as "root" to run any program that affects
the RTC or the system time, which includes most of the programs
described here. If you normally use a graphical interface for
everything, you may also need to learn some basic unix shell
If you run more than one OS on your machine, you should only let
one of them set the RTC, so they don't confuse each other. The
exception is the twice-a-year adjustment for Daylight Saving(s)
If you run a dual-boot system that spends a lot of time running
Windows, you may want to check out some of the clock software
available for that OS instead. Follow the links on the NTP website at
<ulink url="http://www.eecis.udel.edu/~ntp/software.html"/>.
<sect1 id="Traffic-Control">
8.6. Traffic Shaping
The traffic shaper is a virtual network device that makes it possible
to limit the rate of outgoing data flow over another network device.
This is especially useful in scenarios such as ISPs, where it is
desirable to control and enforce policies regarding how much bandwidth
is used by each client. Another alternative (for web services only)
may be certain Apache modules which restrict the number of IP
connections by client or the bandwidth used.
Traffic control encompasses the sets of mechanisms and operations by which
packets are queued for transmission/reception on a network interface. The
operations include enqueuing, policing, classifying, scheduling, shaping and
dropping. This HOWTO provides an introduction and overview of the
capabilities and implementation of traffic control under Linux.
  *  the linux DiffServ project
  *  HTB site (Martin "devik" Devera)
  *  Traffic Control Next Generation (tcng)
TCNG manual (Werner Almesberger)
  *  iproute2 (Alexey Kuznetsov)
iproute2 manual (Alexey Kuznetsov)
  *  Research and documentation on traffic control under linux (Stef Coene)
  *  LARTC HOWTO (bert hubert, et. al.)
  *  guide to IP networking with linux (Martin A. Brown)
* <ulink url="http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.15"/>
* Traffic Control HOWTO
<sect1 id="Load-Balancing">
Demand for load balancing usually arises in database/web access when
many clients make simultaneous requests to a server. It would be
desirable to have multiple identical servers and redirect requests to
the less loaded server. This can be achieved through Network Address
Translation techniques (NAT) of which IP masquerading is a subset.
Network administrators can replace a single server providing Web
services - or any other application - with a logical pool of servers
sharing a common IP address. Incoming connections are directed to a
particular server using one load-balancing algorithm. The virtual
server rewrites incoming and outgoing packets to give clients the
appearance that only one server exists.
Linux IP-NAT information may be found here <ulink url="http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html"/>
<sect1 id="Bandwidth-Limiting">
This section describes how to set up your Linux server to limit download
bandwidth or incoming traffic and how to use your internet link more
efficiently. It is meant to provide an easy solution for limiting
incoming traffic, thus preventing our LAN users from consuming all the
bandwidth of our internet link. This is useful when our internet link
is slow or our LAN users download tons of mp3s and the newest Linux
distro's *.iso files.
* Bandwidth Limiting HOWTO
6. Miscellaneous
6.1. Useful resources
Squid Web Proxy Cache
[http://www.squid-cache.org] http://www.squid-cache.org
Squid 2.4 Stable 1 Configuration manual
[http://www.visolve.com/squidman/Configuration%20Guide.html] http://
[http://www.visolve.com/squidman/Delaypool%20parameters.htm] http://
Squid FAQ
[http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8] http://
cbq-init script
[ftp://ftp.equinox.gu.net/pub/linux/cbq/] ftp://ftp.equinox.gu.net/pub/linux/
Linux 2.4 Advanced Routing HOWTO
[http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html] http://
Traffic control (in Polish)
[http://ceti.pl/~kravietz/cbq/] http://ceti.pl/~kravietz/cbq/
Securing and Optimizing Linux Red Hat Edition - A Hands on Guide
[http://www.linuxdoc.org/guides.html] http://www.linuxdoc.org/guides.html
[http://cebu.mozcom.com/riker/iptraf/] http://cebu.mozcom.com/riker/iptraf/
[http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html] http://www.linuxdoc.org/
Nylon socks proxy server
[http://mesh.eecs.umich.edu/projects/nylon/] http://mesh.eecs.umich.edu/
Indonesian translation of this HOWTO by Rahmat Rafiudin mjl_id@yahoo.com
[http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html] http://
<sect1 id="IP-Accounting">
This option of the Linux kernel keeps track of IP network traffic,
performs packet logging and produces some statistics. A series of
rules may be defined so when a packet matches a given pattern, some
action is performed: a counter is increased, it is accepted/rejected,
6.3. IP Accounting (for Linux-2.0)
The IP accounting features of the Linux kernel allow you to collect
and analyze some network usage data. The data collected comprises the
number of packets and the number of bytes accumulated since the
figures were last reset. You may specify a variety of rules to
categorize the figures to suit whatever purpose you may have. This
option has been removed in kernel 2.1.102, because the old ipfwadm-
based firewalling was replaced by ``ipfwchains''.
Kernel Compile Options:
Networking options --->
[*] IP: accounting
After you have compiled and installed the kernel you need to use the
ipfwadm command to configure IP accounting. There are many different
ways of breaking down the accounting information that you might
choose. I've picked a simple example of what might be useful to use,
you should read the ipfwadm man page for more information.
Scenario: You have a ethernet network that is linked to the internet
via a PPP link. On the ethernet you have a machine that offers a
number of services and that you are interested in knowing how much
traffic is generated by each of ftp and world wide web traffic, as
well as total tcp and udp traffic.
You might use a command set that looks like the following, which is
shown as a shell script:
# Flush the accounting rules
ipfwadm -A -f
# Set shortcuts
# Add rules for local ethernet segment
ipfwadm -A in -a -P tcp -D $localnet ftp-data
ipfwadm -A out -a -P tcp -S $localnet ftp-data
ipfwadm -A in -a -P tcp -D $localnet www
ipfwadm -A out -a -P tcp -S $localnet www
ipfwadm -A in -a -P tcp -D $localnet
ipfwadm -A out -a -P tcp -S $localnet
ipfwadm -A in -a -P udp -D $localnet
ipfwadm -A out -a -P udp -S $localnet
# Rules for default
ipfwadm -A in -a -P tcp -D $any ftp-data
ipfwadm -A out -a -P tcp -S $any ftp-data
ipfwadm -A in -a -P tcp -D $any www
ipfwadm -A out -a -P tcp -S $any www
ipfwadm -A in -a -P tcp -D $any
ipfwadm -A out -a -P tcp -S $any
ipfwadm -A in -a -P udp -D $any
ipfwadm -A out -a -P udp -S $any
# List the rules
ipfwadm -A -l -n
The names ``ftp-data'' and ``www'' refer to lines in /etc/services.
The last command lists each of the Accounting rules and displays the
collected totals.
An important point to note when analyzing IP accounting is that totals
for all rules that match will be incremented so that to obtain
differential figures you need to perform appropriate maths. For
example if I wanted to know how much data was not ftp nor www I would
substract the individual totals from the rule that matches all ports.
root# ipfwadm -A -l -n
IP accounting rules
pkts bytes dir prot source destination ports
0 0 in tcp * -> 20
0 0 out tcp 20 -> *
10 1166 in tcp * -> 80
10 572 out tcp 80 -> *
252 10943 in tcp * -> *
231 18831 out tcp * -> *
0 0 in udp * -> *
0 0 out udp * -> *
0 0 in tcp * -> 20
0 0 out tcp 20 -> *
10 1166 in tcp * -> 80
10 572 out tcp 80 -> *
253 10983 in tcp * -> *
231 18831 out tcp * -> *
0 0 in udp * -> *
0 0 out udp * -> *
6.4. IP Accounting (for Linux-2.2)
The new accounting code is accessed via ``IP Firewall Chains''. See
the IP chains home page for more information. Among other things,
you'll now need to use ipchains instead of ipfwadm to configure your
filters. (From Documentation/Changes in the latest kernel sources).
<sect1 id="IP-Aliasing">
This is a cookbook recipe on how to set up and run IP aliasing on a Linux box
and how to set up the machine to receive e-mail on the aliased IP addresses.
This feature of the Linux kernel provides the possibility of setting
multiple network addresses on the same low-level network device driver
(e.g two IP addresses in one Ethernet card). It is typically used for
services that act differently based on the address they listen on
(e.g. "multihosting" or "virtual domains" or "virtual hosting
There are some applications where being able to configure multiple IP
addresses to a single network device is useful. Internet Service
Providers often use this facility to provide a `customized' to their
World Wide Web and ftp offerings for their customers. You can refer to
the ``IP-Alias mini-HOWTO'' for more information than you find here.
<sect1 id="Multicasting">
* Multicast HOWTO
<sect1 id="Network-Management">
There is an impressive number of tools focused on network management
and remote administration under Linux. Some interesting remote administration
projects are linuxconf and webmin:
· <ulink url="http://www.webmin.com/webmin/">Webmin</ulink>
· <ulink url="http://www.solucorp.qc.ca/linuxconf/">Linuxconf</ulink>
Other tools include network traffic analysis tools, network security
tools, monitoring tools, configuration tools, etc. An archive of many
of these tools may be found at Metalab
<ulink url="http://www.metalab.unc.edu/pub/Linux/system/network/"/>
9.2. SNMP
The Simple Network Management Protocol is a protocol for Internet
network management services. It allows for remote monitoring and
configuration of routers, bridges, network cards, switches, etc...
There is a large amount of libraries, clients, daemons and SNMP based
monitoring programs available for Linux. A good page dealing with SNMP
and Linux software may be found at : http://linas.org/linux/NMS.html
10. Enterprise Linux Networking
In certain situations it is necessary for the networking
infrastructure to have proper mechanisms to guarantee network
availability nearly 100% of the time. Some related techniques are
described in the following sections. Most of the following material
can be found at the excellent Linas website:
http://linas.org/linux/index.html and in the
<ulink url="http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html">Linux High-Availability
10.1. High Availability
Redundancy is used to prevent the overall IT system from having single
points of failure. A server with only one network card or a single
SCSI disk has two single points of failure. The objective is to mask
unplanned outages from users in a manner that lets users continue to
work quickly. High availability software is a set of scripts and tools
that automatically monitor and detect failures, taking the appropriate
steps to restore normal operation and to notifying system
<sect1 id="Redundant-Networking">
IP Address Takeover (IPAT). When a network adapter card fails, its IP
address should be taken by a working network card in the same node or
in another node. MAC Address Takeover: when an IP takeover occurs, it
should be made sure that all the nodes in the network update their ARP
caches (the mapping between IP and MAC addresses).
See the High-Availability HOWTO for more details: