LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/guide/docbook/Linux-Networking/Protocols-Standards-Service...

3249 lines
132 KiB
XML
Raw Blame History

<sect1 id="Protocols-Standards-Services">
<title>Protocols-and-Standards-Services</title>
<para>
IEEE (Institute of Electrical and Electronics Engineers) 802 Standards
802.1 Internetworking
802.2 Logical Link Control (LLC)
802.3 CSMA/CD (Ethernet) media access method
802.4 Token bus media access method
802.5 Token Ring Media access method
802.6 Metropolitan Area Netwoks (MANs)
802.7 Broadband technologies
802.8 Fiber optic technologies
802.9 Hybrid (voice and data) networking
802.10 Network security
802.11 Wireless Networking
802.12 High-speed LANs
</para>
Protocols
So it is clear that data units can be transmitted from a sender Data-link Layer to a (peer) receiver Data-Link ayer. The data unit (DU) is encapsulated in a frame. Each frame contains additional information. The meaning of this additional information and the rules that the sender and receiver must follow when processing this information consitutue the protocol. Hence, the frame constitutes a Protocol Data Unit (PDU). To distinguish between PDU's of different layers the PDU may be referred to as a DPDU (D for Data-link).
Piggy-backing
Each PDU may or may not contain data. In the later case, the PDU is being used expressly for the purpose of the protocol, eg. for the receiver to signal that a frame was corrupted.
Sometimes a PDU used for the purpose of protocol alone is called a control message. Sending an entire PDU without any data can lead to a waste of resources. It is possible to control information in a PDU which contains data. Thisis called piggy-backing and is a commonly used technique to save resources. The drawback is that sometimes there is no data available or ready to be sent, in which case the control message may be delayed until data becomes available.
Utopia protocol
The Utopia protocol assumes that the logical-link and receiver are ideal, e. the logical-link is error free, provides unlimited capacity and the receiver can receive PDU's at any rate. With these assumptions, each DU is transmitted as soon as it is given, without any other mechanisms or support. Similarly the receiver delivers each DU as sson as it arrives without checking for errors, duplicates or out of order delivery.
Out of order delivery is possible, even if the sender sent the frames in order! One possiblity is that an entire frame is lost (never to be received) due to noise. Utopia assumes that this cannot happen.
Stop-and-Wait Protocol
Consider sending frames from a fast machine to a slow machine. What happens if the slow machine is reading the data at half the rate that the fast machine is sending it? Eventually the sent data will be lost, never to be received.
For this reason it is important to provide some kind of flow control.
The Stop-and-Wait protocol requires the receiver to send an acknowledgement PDU in return for every frame received. Such a PDU is often called an ACK. The sender will wait for the ACK before sending the next frame.
Kinds of errors
Three kinds of errors can occur:
- the bits in the frame can be inverted, anywhere within the frame including the data bits or the frame's control bits.
- additional bits can be inserted into the frame, before the frame or after the frame and
- bits can be deleted from the frame
Such errors could cause the entire frame to be deleted. Errors don't necessarily happen because of noise. Sometimes an intermediate device devides to "drop" a frame, because eg. it's buffer may be full. These kinds of errors may lead to frames being mistaken as other frames, to ACK's being lost.... even to ACK's magically appearing!
Echo checking
Clearly, error control is required. Error control can be implemented at all layers with the choice of whn, where and how being made by those who develop the layers.
At the highest layer, the use must implement menual error control, eg. by inspecting the result of a file transfer to ensure that the contents are as expected, or by seeing that the keys typed on the terminal are echoed properly onto the display. In fact, error checking is a simple form of error control. In this case, the receiver sends back (echoes) a copy of the receive data unit, for the sender to check.
Automatic Repeat Request
Echo checking is not feasible when the computer is transmitting long data unit sequences. Typically the error control involves the receiver checking the frame for possible errors (perhaps implementing some amount of error correcting) and then either:
1. sending a positive acknowledgement as a form of receipt or
2. sending a negative acknowledgement (NACK) to request another copy of the frame be sent.
This type of error control is known as automatic repeat request (ARQ). ARQ is used in two ways:
- idle RQ and
- continuous RQ.
In either case, the use of ACK's, NACK's or both is implementation dependent and this can lead to a variety of protocols which differ slightly in their specification/operation. The continuous RQ typically uses one of the following transmission strategies:
- selective repeat or
- go-back-N
Sequence numbers
For all the ARQ error control methods, it is necessary to distinguish between different frames. The principle reason is so that duplicate frames can be avoided and to ensure that all frames are eventually received.
Furthermore, because the sequence number must be recorded as part of the frame it will occupy some number of bytes. For frames with fixed formats, the maximum size of the sequence number is also fiexed. So eg. the sequence number may be designated as 1 bit, 2 bits, 8 bits, etc....
Although a fixed suze sequence number may suggest that only a fixed number of frames can be transmitted, as will be found when examining the protocols, distinguishing each frame from every frame is not necessary and in some caes it is quite possible to have a 1-bit sequence number.
Timers
A timer provides an event after a given time interval. Timers are used to trigger protocol state transitions. Eg. recall the stop-and-wait protocol as previously described. If the ACK is lost then the sender will wait indefinitely. In this case, a timer may be used to trigger the protocol in the extendede absence of an ACK.
Idle RQ
The stop-and-wait protocol given earlier is an incomplete form of idle RQ. The basic RQ uses a timer at the sender and either ACK's only (implicit retransmission) or a combination of ACK's and NACK's (explicit retransmission).
When sending a frame, F(n), the sender starts a timer. The sender waits to receive either an ACK(n) or a NACK(n). If nothing is recieved before the timer expires then the timer is reset and F(n) is retransmitted (implicit). If ACK(n) is received then the sender repeats the process F(n+1). If NACK(n) is received before the timer expires then the sender resets the timer and retransmits F(n) (explicit).
Using a NACK
See that the NACK is used when receiving a corrupted frame and signals the sender to stop the timer and send F(n) immediately. Intuitively this decreases the amount of time wasted, and so increases the link utlization.
Link utilization
Clearly, the use of a NACK increases the use of the link. To quantify this requires first examining the basic link utilization of idle RQ.
See Page 48.
Idle RQ and sequence numbers
Clearly, the sequence numbers for idle RQ may be 1 bit. For example, the sender transmits frame F(0) and does not transmit frame F(1) until F(0) has been acknowledged. At any one time, there is only a single frame in question. The two sequence numbers are required in case that the ACK(0) is lost - the sender times out and resends F(0), however the receiver is now waiting for F(1) and can reject F(0).
In this way, the sender has to buffer only one frame, and the receiver has to record only the sequence number of the frame that was previously received.
Because of this, idle RQ does not require much buffer space and is therefore used when simple devices are communicating, such as between a terminal and a display.
Continuous RQ
In previous slide the idle RQ protocol was shown to provide poor link utilization when the time to transmit a frame was significantly less than the propogatio delay.
A number of physical layer services provide links with significantly long propogation delays, such as satellite communication and high bandwidth Ethernet.
Continuous RQ allows the sender to continue to transmit frames, even though no ACK's may have been received for previously transmitted frames.
Sliding windows
Continuous RQ may require buffering at both the sender and the receiver (as well as seen) and, with finite buffers, it is necessary to ensure that neither the sender's not the receiver's buffer becomes over loaded. A sliding window is a flow control which is used to maintain finite buffers at the sender and receiver.
There are numerous methods of implementing a sliding window. However this subject will introduce and use only one method.
Parameters for a sliding window
Each sliding window uses three parameters:
1. the size of the window K,
2. the lower window edge LWE and
3. the upper window edge UWE.
Normally, K remains as a constant while LWE and UWE vary as frames are transmitted and acknowledged. Both the sender and receiver have their own set of parameters and their own interpretations.
Sequence numbers and window size
The size of the sequence number and the window size are related and the relationship depends on the protocol.
Consider the idle RQ from previous slides. Idle RQ uses 1-bit sequence number which gives two different frame identifiers {0,1}. However the window size is K=1 at both the sender and receiver. The reason for this will be explained during go-back-N protocol (idle RQ is a simplified go-back-N). For now, examine the next slide to see how sequence numbers and sliding windows relate.
Go-back-N protocol
With an understanding of sequence numbers and sliding window it is possible to quickly understand the Go-back-N protocol.
The sender uses a window size of K. The receiver uses a window size of 1.
The receiver sends an ACK for each frame as it is received. If a corrupted frame as it is received. If a corrupted frame, F(n), is received or F(n) is missing (didn't arrive) then the receiver sends a special NACK(n) to request that the sender start restransmitting from frame F(n).
Selective repeat protocol
Selective repeat uses a window size of K at both the sender and receiver.
The protocol can be implemented in one of two ways: either the receiver sends only ACK's and the sender implicitly retransmits NACK's to explicity request a frame retransmission.
The seder buffers out-of-order frames until the missing frames are retransmitted.
As the name suggests, the receiver can "selectively" request retransmission of a frame.
When using ACK's only, the absence of an ACK triggers a retransmission.
When using ACK's only, if an ACK is lost, then a retransmission is triggered, but the retransmission frame is discarded. If NACK's are used, then the NACK explicity triggers a retransmission.
Explicit and implicit strategies
Explicit retransmission strategy uses NACK's. Implicit retransmission strategy does not use NACK's.
For explicit retransmission strategy an ACK(n) is sufficient to acknowledge all frames prior to and including F(n).
For implicit retransmission strategy an ACK(n) does not acknowledge all frames prior to F(n). The reason for this is that the strategy relies on the receiver detecting a missing ACK as the trigger for a retransmission.
Sequence numbers and K for selective repeat
Duplex protocols and lnks
So far we have discussed the operation of protocols that have data being transmitted from a sender to a receiver, called simplex protocols. In most cases these protocols required that some PDU's be sent back to the receiver.
Many links allow for data to be sent in both directions simultaneously. Indeed, a single medium may be divided logically into a send and receive channel using FSM. Such links are called duplex links and the protocols that allow data to flow in both directions simultaneously are duplex protocols.
In contrast, recall the primitive stop-and-wait protocol. At any other time, the link was being used to either send a frame or to receive ackowledgement. In this case it is sufficient for the link to be half-duplex. Duplex protocols can operate over a half-duplex link but with less efficiency.
The concepts are studied further when considering the medium access control sub-layer.
Protocol efficiency
The concept of link utilization does not consider the amount of data actually sent is less than the length of the frame. The protocol efficiency refers to the fraction of total data transmitted that represents the DU's themselves. This value is always less than 1 because each frame contains additional protocol information such as CRC and sequence number.
The link efficiency is further reduced to obtain the protocol efficiency. If the length of the DU is D and the length of the frame is L, then only D/L of the utilized link is actually used to transmit DU's.
Medium Access Control
The protocols given in the previous lectures assumed that the sender had a direct link to the receiver , and also that the link provided duplex communication, ie. so that frames could be sent at the same time that ACK's were being received. Recall that the repeater is a simple Layer 1 device that, any number of repeaters may exist between two data-link layer peers, transparently to the communication.
Also recall that the hub is a general repeater.
Frames from any of the data-link layers will be transmitted to every other data-link layer.
The use of a hub introduces new problems for the protocols because a transmitted frame will potentialy be received by a number of different data-link layers.
So each device needs an address. The address is called the medium access control (MAC) address - it is a unique identifier for every device connected to the shared medium.
The MAC sub-layer
To handle issues of MAC addressing, and other issues to do with avoiding collision of frames transmitted by two or more Layer 2 devices, the Layer 2 is broken into a MAC sub-layer and a Logical Link Contrl (LLC) sub-layer.
The protocols discussed so far are those implmented by the LLC sub-layer. The MAC sub-layer abstracts the complexity of medium access from the LLC sub-layer.
Channels
Recall that the Physical Layer is responsible for transmitting a bit stream on the transmission medium. The Physical Layer may share several bit streams over the one transmission medium using either TDM or FDM. In this way the transmission medium has been divided into a number of channels. For a prticular (shared) tranmission medium, each MAC sub-layer has access to the same set of channels. The problem for the MAC sub-layer is to decide how a particular channel will be shared.
MAC sub-layer protocols
What protocol can the MAC sub-layers implement to ensure that channels are used efficiently? (read Section 4.1 and 4.2 of your textbook)
You will see that the protocol of choice is one which takes into consideration the types of channels and also factors such as the propogation delay, frame length, error rate and the frame rate or load.
Classifying MAC protocols
There are two kinds of MAC protocols:
contention protocols: these protocols allow the possiblity of frames colliding.
contention-less protocols: these protocols don't allow the possibliity of frames colliding.
The choice of a contention or contention-less protocol is mainly made on the basis of the transmission medium. In other words different MAC sub-layer protocols have been developed according to the type of Physical Layer.
Logical Token Bus
Logical Token Bus is a contention-less protocol. With this protocol the MAC sub-layers pass around a token and only the MAC sub-layer with the token can use the channel. When a particular MAC sub-layer has finished sending a frame, it sends the token to the next MAC sub-layer, and so on. If a MAC sub-layer has no frame to transmit then it simply passes the token to the next MAC sub-layer. Clearly the protocol can be applied for both half duplex and full duplex channels.
CSMA
To overcome the low efficiency of the Logical Token Bus protocol the Carrier Sense Multiple Access (CSMA) protocol can be used. In this case devices are allowed to transmit a frame at any time (multiple access). However, each device will not transmit a frame if they are receiving a frame (carrier sense).
For the case of persistent CSMA, if a device detects that a frame is being recieved it will send its own frame immediately after the frame has been received. The the case of non-persistent CSMA the device will wait for some random period before transmitting .
Collisions can occur so this protocol is a contention protocol. If collision detection (CD) is used then colliding frames can be aborted.
ALOHA
ALOHA is a contention protocol and is used when carrier sense is not available. Mainly this i for satellite communication. The protocol allows devices to transmit at any time. Read your textbook to see the analysis of ALOHA for the case when slotted and unslotted ALOHA is used.
<AX25>
3.8. Amateur Radio
The Linux kernel has built-in support for amateur radio protocols.
Especially interesting is the AX.25 support. The AX.25 protocol offers
both connected and connectionless modes of operation, and is used
either by itself for point-point links, or to carry other protocols
such as TCP/IP and NetRom.
It is similar to X.25 level 2 in structure, with some extensions to
make it more useful in the amateur radio environment.
<20> Amateur radio on Linux web site <http://radio.linux.org.au/>
</AX25>
NDIS and ODI
The Network Device Interface Specification (NDIS) is a standard developed
by Microsoft and IBM to enable communication between protocols and network
card drivers. The purpose of NDIS is to abstract the functions of the
network driver so that protocols can work with any driver. NDIS works
within the data link layer of the OSI model.
NDIS allows software components to be written in a modular fashion, and
components that conform to a version of the NDIS specification are
guaranteed to communicate with eachother. The current version of NDIS
is 4.0.
The process of assigning a protocol to a network card is called binding.
NDIS allows multiple protocols to be bound to a single network card,
and multiple network cards to be bound to a single protocol (or multiple
protocols).
ODI (Open Datalink Interface), devloped by Novell and Apple, is an
implementation of the same functionality. While designed primarily for
the IPX protocol, ODI can be used with any protocol. Netware clients and
servers can have network cards bound to multiple protocols. Microsoft's
implementation of the IPX protocol, NWLink, also supports the ODI standard.
</sect1>
<sect1 id="Appletalk">
<title>Appletalk</title>
<para>
Appletalk is the network architecture/internetworking stack developed
by Apple to work with Macintosh computers. It allows a peer-to-peer
network model which provides basic functionality such as file and printer
sharing. Each machine can simultaneously act as a client and a server,
and the software and hardware necessary are included with every Apple
computer. Appletalk actually supports three network transports:
Ethernet, Token Ring, and a dedicated system called Localtalk.
</para>
<para>
LocalTalk is traditionally wired in a star or hybrid topology using custom
connectors and STP cable. A popular third-party system allows ordinary phone
cable to be used instead of STP. LocalTalk supports up to 32 node per network.
The implementations of Ethernet and Token Ring (EtherTalk and TokenTalk)
support for more sophisticated networks. Localtalk uses CSMA/CA access method.
Rather than detect collisions as with Ethernet, this method requires nodes to
wait a certain amount of time after detecting an existing signal on the network
before attempting to transmit, avoiding most collisions.
</para>
<para>
Linux provides full Appletalk networking. Netatalk is a kernel-level
implementation of the AppleTalk Protocol Suite, originally for BSD-
derived systems. It includes support for routing AppleTalk, serving
Unix and AFS filesystems over AFP (AppleShare), serving Unix printers
and accessing AppleTalk printers over PAP. Linux systems just show up
as another Macintosh on the network.
</para>
- Netatalk faq and HOWTO:
- http://thehamptons.com/anders/netatalk/
- http://www.umich.edu/~rsug/netatalk/
- http://www.umich.edu/~rsug/netatalk/faq.html
</sect1 id="Appletalk">
<sect1 id="ARCnet">
<title>ARCnet</title>
<para>
ARCnet, developed in 1977, by Datapoint Corporation, is an older standard
that has largely been replaced by Ethernet in current networks. ARCnet,
uses RG-62 coaxial cable in a star, bus, or hybrid physical topology. This
networking scheme supports active and passive hubs, which must be connected
to an active hub. ARCnet requries 93-ohm terminators at the end of bus
cables, and on unused ports of passive hubs. It supports UTP, coaxial, or
fiber-optic cable. The distance between nodes is 400 feet with UTP cable,
and higher for coaxial or fiber-optic cable.
</para>
<para>
ARCnet uses a token-passing scheme similar to that of token ring. ARCnet
networks support a bandwidth of 2.5 Mbps. Newer standards (ARCnet Plus and
TCNS) support speeds of 20 Mbps and 100 Mbps, but have not really caught on.
</para>
<para>
ARCNet device names are `arc0e', `arc1e', `arc2e' etc. or `arc0s',
`arc1s', `arc2s' etc. The first card detected by the kernel is
assigned `arc0e' or `arc0s' and the rest are assigned sequentially in
the order they are detected. The letter at the end signifies whether
you've selected ethernet encapsulation packet format or RFC1051 packet
format.
</para>
<para>
<screen>
Kernel Compile Options:
Network device support --->
[*] Network device support
<*> ARCnet support
[ ] Enable arc0e (ARCnet "Ether-Encap" packet format)
[ ] Enable arc0s (ARCnet RFC1051 packet format)
</screen>
</para>
<para>
Once you have your kernel properly built to support your ethernet card
then configuration of the card is easy.
</para>
<para>
Typically you would use something like:
</para>
<para>
<screen>
root# ifconfig arc0e 192.168.0.1 netmask 255.255.255.0 up
root# route add -net 192.168.0.0 netmask 255.255.255.0 arc0e
</screen>
</para>
<para>
Please refer to the /usr/src/linux/Documentation/networking/arcnet.txt
and /usr/src/linux/Documentation/networking/arcnet-hardware.txt files
for further information.
</para>
<para>
ARCNet support on Linux was developed by Avery Pennarun, apenwarr@foxnet.net.
</para>
</sect1 id="ARCnet">
<sect1 id="ATM">
<title>ATM</title>
<para>
ATM (Asynchronous Transfer Mode), is a high speed packet switching format
that supports up to 622 Mbps. ATM can be used with T1 and T3 lines, FDDI,
and SONET OC1 and OC3 lines. ATM uses a technology called cell switching.
Data is sent in 53-byte packets called cells. Because packets are small and
uniform in size, they can be quickly routed by hardware switches. ATM uses
a virtual circuit between connection points for high reliability over
high-speed links.
</para>
<para>
ATM support for Linux is currently in pre-alpha stage. There is an
experimental release, which supports raw ATM connections (PVCs and
SVCs), IP over ATM, LAN emulation....
</para>
<para>
The Linux ATM-Linux home page is at, <http://lrcwww.epfl.ch/linux-atm/>
</para>
<para>
Werner Almesberger <werner.almesberger@lrc.di.epfl.ch> is managing a
project to provide Asynchronous Transfer Mode support for Linux.
Current information on the status of the project may be obtained from,
http://lrcwww.epfl.ch
</para>
</sect1 id="ATM">
<sect1 id="DDS-Switched56">
<title>DDS-Switched56</title>
<para>
DDS (Digital Data Service) and Switched 56 are types types of dedicated
digital line provided by phone carriers. DDS lines are more
expensive than dedicated analog lines, but support a more consistent quality.
DDS lines support a speed of 56 Kbps. A device called a CSU/DSU (Channel
Service Unit/Digital Service Unit) is used to connect the network to the
dedicated line.
</para>
<para>
Switched 56 is an alternative to DDS that provides the same type of
connection, but in a circuit-switched format. The line is available
on demand rather than continuously, and you are billed for the hours that
you use it. ISDN has largely replaced Switched 56 for this purpose.
</para>
</sect1 id="DDS-Switched56">
<sect1 id="DECnet">
<title>DECnet</title>
<para>
Support for DECnet is currently being worked on. You should expect it
to appear in a late 2.1.* kernel.
</para>
</sect1 id="DECnet">
<sect1 id="DLC">
<title>DLC</title>
<para>
DLC (Data Link Control) is a transport protocol developed by IBM for SNA
(System Network Architecture), a protocol suite for network communication
with mainframe computers. Particular versions of DLC are called SDLC
(Synchronous Data Link Control) and HDLC (High-level Data Link Control).
Along with its main uses in mainframe communication, DLC is the protocol
used by many network-aware printers such Hewlett-Packard's JetDirect
interface.
</para>
</sect1="DLC">
<sect1 id="EQL">
<title>EQL</title>
<para>
EQL provides a means of utilizing multiple point to point lines such
as PPP, SLIP or PLIP as a single logical link to carry TCP/IP. Often,
it is cheaper to use multiple lower speed lines than to have one high
speed line installed. In short, EQL is multiple line traffic equaliser.
</para>
</sect1 id="EQL">
<sect1 id="Ethernet">
<title>Ethernet</title>
Ethernet
Ethernet is the most common network architecture worldwide. It was developed by Xerox,
Intel and DEC in the late 1960s and revised as Ethernet 2.0 in 1982. Ethernet networks
the CSMA/CD (carrier sense multiple access with collision detection) media access method,
defined in IEEE 802.3.
There are three Ethernet standards for different media:
See P41 of Oreilly "MSCE Networking"
10BaseT
10Base2
10Base5
Fast Ethernet
Fast Ethernet, also known as 100BaseT, is a new standard for 100 Mbps Ethernet. Fast Ethernet
can use two-pair Category 5 cable of four-pair Category 3-5 cable.
100BaseT uses a physical star topology identical to that used by 10BaseT, but requires that
all equipment (hubs, NICs, and repeaters) support 100 Mbps speeds. Some NICs and hubs can support
both standards, but all devices on the network need to be configured to use the same standard.
Several manufacturers devleloped 100 Mbps Ethernet devices before 100BaseT became a standard. The
most popular of these, 100VG-AnyLan, is still widely used. This standard uses a demand priority
access method rather than CSMA/CD, and also supports networks that combine Ethernet and Token
Ring packets.
> Start Binh
GigE
GigE Ethernet, also known as 1000BaseT or Gigabit Ethernet. GigE can only use Cat 5 cable.
GigE uses the same topology as that of Fast Ethernet (ie. physical star topology). Like Fast Ethernet
though it requires that hubs/switches on the LAN to be GigE capable. If not it will revert back to
100BaseT, and if this is not available to 10BaseT Ethernet.
> End Binh
* Ethernet-Howto
</sect1 id="Ethernet">
<sect1 id="FDDI">
<title>FDDI</title>
<para>
FDDI (Fiber Distributed Data Interface) is a high-speed, reliable, long-distance
networking scheme often used for network backbones and networks that require
high bandwidth. FDDI uses fiber optic cable wired in a true ring. It supports
speeds up to 100 Mbps and a maximum distance bewteen nodes of 100 kilometers
(62 miles).
</para>
<para>
FDDI uses token-passing scheme wired into two rings, primary and secondary. The
primary ring is used for normal networking. When a failure is detected, the
secondary ring is used in the opposite direction to compensate for the failure
in the primary ring.
</para>
<para>
The advantages of FDDI are their high speed, long distance, and reliablity.
The token-passing scheme used by FDDI is also more sophisticated than that
of Token Ring: it allows multiple packets to be on the ring at once, and
allows certain nodes to be given higher priority than the rest. The
disadvantage of FDDI is its high cost and the difficult in installing and
maintaing fiber optic cable.
</para>
</sect1 id="FDDI">
<sect1 id="Frame-Relay">
<title>Frame-Relay</title>
<para>
Frame relay is a protocol used with leased lines to support speeds up to
1.544 Mbps. Frame realy uses packet switching over a phone company's
network. Frame realy connections use a virtual circuit, called
a PVC (private virtual circuit), to establish connections. Once established,
connections use a low overhead and do not provide error correction.
</para>
<para>
A frame realy compatible router is used to attach the LAN to the frame
relay line. Frame relay lines are available in speeds ranging from 56 Kbps
to 1.544 Mbps, and varying proportionally in cost. One advantage of frame
relay is that bandwidth is available on demand: you can install a line
at 56 Kbps and later upgrade it to a higher speed by ordering the service
from the carrier, usually without replacing any equipment.
</para>
<para>
It was specifically designed and is well suited to data communications traffic
that is of a `bursty' or intermittent nature. You connect to a Frame Relay
network using a Frame Relay Access Device (FRAD). The Linux Frame Relay
supports IP over Frame Relay as described in RFC-1490.
</para>
</sect1 id="Frame-Relay">
<sect1 id="NetBEUI">
<title>NetBEUI</title>
<para>
NetBEUI (NetBIOS Extended User Interface) is a transport-layer protocol
developed by Microsoft and IBM. NetBEUI was mainly intended as a basic
protocol to support NetBIOS (Network Basic Input/Output System), the
Windows standard for workstation naming, communications, and file sharing.
</para>
<para>
NetBEUI is a fast protocol with a low overhead, which makes it a good
choice for small networks. However, it is a non-routable protocol.
Networks that use NetBEUI can be use bridges for traffic management,
but cannot use routers. Another disadvantage is its proprietary nature.
NetBEUI is supported by few systems other than Windows.
</para>
<para>
Although NetBEUI was developed by Microsoft and was the default protocol
for some operating systems (such as Windows for Workgroups and Windows 95),
Microsoft recommends TCP/IP over NetBEUI for most Windows NT networks.
</para>
</sect1 id="NetBEUI">
<sect1 id="IPX">
<title>IPX</title>
<para>
IPX and SPX are proprietary protocols that were developed during the
early 1980s by Novell for use in NetWare networks.
NetWare became the de facto standard network operating system (NOS) of
first generation LANs. Novell complemented its NOS with a
business-oriented application suite and client-side connection utilities.
They were based on protocols used in Xerox's XNS (Xerox Network Systems)
network architecture.
IPX (Internetwork Packet Exchange) is a connectionless protocol that works
at the network layer of the OSI model, and SPX (Sequenced Packet Exchange)
is a connection-orientated protocol that works at the transport layer.
</para>
<para>
These protocols are often easier to configure than TCP/IP and are routable,
so they make a good alternative for some networks, particularly small
peer-to-peer networks. However, TCP/IP is more suitable for larger
LANs and WANs.
</para>
<para>
Frame types are one aspect of IPX networks that sometimes does require
configuration. The frame type determines the order and type of data included
in the packet. Typical frame types used in NetWare networks
802.2 and 802.3.
</para>
<para>
Linux has a very clean IPX/SPX implementation, allowing it to be
configured as an:
<20> IPX router
<20> IPX bridge
<20> NCP client and/or NCP Server (for sharing files)
<20> Novell Print Client, Novell Print Server
And to:
<20> Enable PPP/IPX, allowing a Linux box to act as a PPP server/client
<20> Perform IPX tunnelling through IP, allowing the connection of two
IPX networks through an IP only link
</para>
* IPX-SPX HOWTO
</sect1 id="IPX">
<sect1 id="Leased-Line">
<title>Leased-Line</title>
<para>
Any fixed, that is permanent, point to point data communications link,
which is leased from a telco or similar organisation. The leased line
involves cables, such as twisted pair, coax or fiber optic, and may
involve all sorts of other hardware such as (pupin) coils,
transformers, amplifiers and regenerators.
</para>
</sect1 id="Leased-Line">
<sect>
T1-T4
<para>
A T1 line is a high-speed, dedicated, point-to-point leased line that
includes 24 seperate 64 Kbps channles for voice and data. Other lines
of this type, called T-carrier lines, support larger numbers of channels.
T1 and T3 lines are the most commonly used.
</para>
<para>
<screen>
Carrier Channels Total Bandwidth
T1 24 1.544 Mbps
T2 96 6.312 Mbps
T3 672 44.736 Mbps
T4 4032 274.176 Mbps
</screen>
</para>
<para>
While the specification for T-carrier lines does not mandate a particular
media type, T1 and T2 are typically carried on copper, and T3 and T4
typically use fiber optic media. DS1, DS2, DS3, and DS4 are an alternate
type of line equivalent to T1-T4, and typically use fiber optic media.
</para>
SONET (Synchronous Optical Network)
<para>
A leased-line system using fiber optic media to support data speeds up to
2.4 Gbps. SONET services are sold based on optical carier (OC) levels. OC
levels are calculated as multiples of the OC-1 speed, 51.840 Mbps. For
example, OC-3 level would correspond with a data speed of 155 Mbps and
OC-12 level would equate to a data transfer rate of 622 Mbps. OC-1 and
OC-3 are the most commonly used SONET lines.
</para>
</sect id="Leased-Line">
<sect1 id="PLIP">
<title>PLIP</title>
<para>
PLIP (Parallel Line IP), is like SLIP, in that it is used for
providing a point to point network connection between two machines,
except that it is designed to use the parallel printer ports on your
machine instead of the serial ports (a cabling diagram in included in
the cabling diagram section later in this document). Because it is
possible to transfer more than one bit at a time with a parallel port,
it is possible to attain higher speeds with the plip interface than
with a standard serial device. In addition, even the simplest of
parallel ports, printer ports, can be used in lieu of you having to
purchase comparatively expensive 16550AFN UART's for your serial
ports. PLIP uses a lot of CPU compared to a serial link and is most
certainly not a good option if you can obtain some cheap ethernet
cards, but it will work when nothing else is available and will work
quite well. You should expect a data transfer rate of about 20
kilobytes per second when a link is running well.
</para>
7.2. PLIP for Linux-2.0
<para>
PLIP device names are `plip0', `plip1 and plip2.
</para>
<para>
<screen>
Kernel Compile Options:
Network device support --->
<*> PLIP (parallel port) support
</screen>
</para>
<para>
The PLIP device drivers competes with the parallel device driver for
the parallel port hardware. If you wish to use both drivers then you
should compile them both as modules to ensure that you are able to
select which port you want to use for PLIP and which ports you want
for the printer driver. Refer to the ``Modules mini-HOWTO'' for more
information on kernel module configuration.
</para>
<para>
Please note that some laptops use chipsets that will not work with
PLIP because they do not allow some combinations of signals that PLIP
relies on, that printers don't use.
</para>
<para>
The Linux plip interface is compatible with the Crynwyr Packet Driver
PLIP and this will mean that you can connect your Linux machine to a
DOS machine running any other sort of tcp/ip software via plip.
</para>
<para>
In the 2.0.* series kernel the plip devices are mapped to i/o port and
IRQ as follows:
</para>
<para>
<screen>
device i/o IRQ
------ ----- ---
plip0 0x3bc 5
plip1 0x378 7
plip2 0x278 2
</screen>
</para>
<para>
If your parallel ports don't match any of the above combinations then
you can change the IRQ of a port using the ifconfig command using the
`irq' parameter (be sure to enable IRQ's on your printer ports in your
ROM BIOS if it supports this option). As an alternative, you can
specify ``io='' annd ``irq='' options on the insmod command line, if
you use modules. For example:
</para>
<para>
<screen>
root# insmod plip.o io=0x288 irq=5
</screen>
</para>
<para>
PLIP operation is controlled by two timeouts, whose default values are
probably ok in most cases. You will probably need to increase them if
you have an especially slow computer, in which case the timers to
increase are actually on the other computer. A program called
plipconfig exists that allows you to change these timer settings
without recompiling your kernel. It is supplied with many Linux
distributions.
</para>
<para>
To configure a plip interface, you will need to invoke the following
commands (or add them to your initialization scripts):
</para>
<para>
<screen>
root# /sbin/ifconfig plip1 localplip pointopoint remoteplip
root# /sbin/route add remoteplip plip1
</screen>
</para>
<para>
Here, the port being used is the one at I/O address 0x378; localplip
amd remoteplip are the names or IP addresses used over the PLIP cable.
I personally keep them in my /etc/hosts database:
</para>
<para>
<screen>
# plip entries
192.168.3.1 localplip
192.168.3.2 remoteplip
</screen>
</para>
<para>
The pointopoint parameter has the same meaning as for SLIP, in that it
specifies the address of the machine at the other end of the link.
</para>
<para>
In almost all respects you can treat a plip interface as though it
were a SLIP interface, except that neither dip nor slattach need be,
nor can be, used.
</para>
<para>
Further information on PLIP may be obtained from the ``PLIP mini-
HOWTO''.
</para>
7.3. PLIP for Linux-2.2
<para>
During development of the 2.1 kernel versions, support for the
parallel port was changed to a better setup.
</para>
<para>
<screen>
Kernel Compile Options:
General setup --->
[*] Parallel port support
Network device support --->
<*> PLIP (parallel port) support
</screen>
</para>
<para>
The new code for PLIP behaves like the old one (use the same ifconfig
and route commands as in the previous section, but initialization of
the device is different due to the advanced parallel port support.
</para>
<para>
The ``first'' PLIP device is always called ``plip0'', where first is
the first device detected by the system, similarly to what happens for
Ethernet devices. The actual parallel port being used is one of the
available ports, as shown in /proc/parport. For example, if you have
only one parallel port, you'll only have a directory called
/proc/parport/0.
</para>
<para>
If your kernel didn't detect the IRQ number used by your port,
``insmod plip'' will fail; in this case just write the right number to
/proc/parport/0/irq and reinvoke insmod.
</para>
<para>
Complete information about parallel port management is available in
the file Documentation/parport.txt, part of your kernel sources.
</para>
<EFBFBD> PLIP information can be found in The Network Administrator Guide
<http://metalab.unc.edu/mdw/LDP/nag/nag.html>
PLIP allows the cheap connection of two machines.
It uses a parallel port and a special cable, achieving speeds of
10kBps to 20kBps.
</sect1 id="PLIP">
<sect1 id="PPP-and-SLIP">
<title>PPP and SLIP</title>
<para>
The Linux kernel has built-in support for PPP (Point-to-Point-
Protocol) and SLIP (Serial Line IP). PPP is the most popular
way individual users access their ISPs (Internet Service
Providers).
<EFBFBD> Linux PPP HOWTO <http://metalab.unc.edu/mdw/HOWTO/PPP-HOWTO.html>
<EFBFBD> PPP/SLIP emulator <http://metalab.unc.edu/mdw/HOWTO/mini/SLIP-PPP-
Emulator.html>
</sect1 id="PPP-and-SLIP">
<sect1 id="Token-Ring">
<title>Token-Ring</title>
<para>
The Token Ring architecture is defined in IEEE 802.5. IBM has further defined
the standard to include particular types of devices and cables. Token Ring uses
a logical ring topology and a physical star topology. The hubs for Token Rung
are called multistation access units, or MAUs.
</para>
<para>
The Token Ring standard supports either 4 Mbps or 16 Mbps speeds. Cable can be
STP, UTP, or fiber. One popular wiring scheme uses Category 5 cable. There are
also a varity of cable types defined by IBM (referred to as Type 1 through
Type 9). Distances between nodes can range from 45 meters for UTP to a kilometer
or more for fiber optic cable.
</para>
<para>
Token Ring networks use a token-passing access scheme. A token data frame is
passed from one computer to the net around the ring. Each computer can
transmit data only when it has the token. This access method provides equal
access to the network for all nodes, and handles heavy loads better than
Ethernet's contention-based method.
</para>
<para>
The nodes in a Token Ring network monitor each other for reliablity. The
first computer in the network becomes an Active Monitor, and the others
are Passive Monitors. Each computer monitors its nearest upstream
neighbour. When an error occurs, the computer broadcasts a beacon packet
indicating the error.
</para>
<para>
The NICs in all computers respond to the beacon by running self-tests, and
removing themselves from the network if necessary. Node in the network can
also automatically remove packets sent to a computer that is having a
problem. This makes Token Ring a reliable choice for networking.
</para>
See Token-Ring HOWTO for more details on running Token Ring on your local
network.
</sect1 id="Token-Ring">
<sect1 id="X25">
<title>X25</title>
<para>
X.25 is a circuit based protocol developed in the 1970s for packet switching
by the C.C.I.T.T. (a standards body recognized by Telecommunications
companies in most parts of the world), allowing customers to share access to
a PDN (Public Data Network). These networks, such as Sprintnet and Tymnet,
were the most practical way to connect large companies at the time,
and are still used by some companies. PDNs are networks that have local
dial-up access points in cities throughout the country and use dedicated lines
to network between these cities. Companies would dial up in two locations to
connect their computers.
</para>
<para>
Computers, routers, or other devices that access a PDN using the X.25
protocols are called data terminal equipment, or DTEs. DTEs without built-in
support for X.25 is a protocol with a relatively high overhead, since it
provides error control and accounting for users of the network.
</para>
<para>
The X.25 protocol supports speeds up to 64 Kbps. This makes it impractical for
many networks, but it is an inexpensive alternative for low-bandwidth
applications. X,25 is a protocol with a relatively high overhead, since it
provides error control and accouting for users of the network.
</para>
<para>
An implementation of X.25 and LAPB are being worked on and recent
2.1.* kernels include the work in progress. Jonathon Naylor
jsn@cs.nott.ac.uk is leading the development and a
mailing list has been established to discuss Linux X.25 related
matters. To subscribe send a message to: majordomo@vger.rutgers.edu
with the text "subscribe linux-x25" in the body of the message.
Early versions of the configuration tools may be obtained from
Jonathon's ftp site at ftp.cs.nott.ac.uk.
</para>
</sect1 id="X25">
<sect1 id="IPv6">
<title>IPv6</title>
<para>
2.1. What is IPv6?
IPv6, sometimes also referred to as IPng (IP Next Generation)
is a new layer 3 protocol (see [http://www.linuxports.com/howto/
intro_to_networking/c4412.htm#PAGE103HTML] linuxports/howto/
intro_to_networking/ISO - OSI Model) which will supersede IPv4 (also known as
IP).
It was designed to address many issues including, the shortage of
available IP addresses, lack of mechanisms to handle time-sensitive
traffic, lack of network layer security, etc.
IPv4 was designed long time ago ([http://www.faqs.org/rfcs/rfc760.html]
RFC 760 / Internet Protocol from January 1980) and since its inception, there
have been many requests for more addresses and enhanced capabilities. Latest
RFC is [http://www.faqs.org/rfcs/rfc2460.html] RFC 2460 / Internet Protocol
Version 6 Specification. Major changes in IPv6 are the redesign of the
header, including the increase of address size from 32 bits to 128 bits.
Because layer 3 is responsible for end-to-end packet transport using packet
routing based on addresses, it must include the new IPv6 addresses (source
and destination), like IPv4. It is anticpated that the larger name space
and accompanying improved addressing scheme, which will prove to provide
a major improvement on routing performance.
For more information about the IPv6 history take a look at older IPv6 related
RFCs listed e.g. at [http://www.switch.ch/lan/ipv6/references.html] SWITCH
IPv6 Pilot / References.
-----------------------------------------------------------------------------
2.2. History of IPv6 in Linux
The years 1992, 1993 and 1994 of the IPv6 History (in general) are covered by
following document: [http://www.laynetworks.com/users/webs/IPv6.htm#CH3] IPv6
or IPng (IP next generation).
To-do: better time-line, more content...
-----------------------------------------------------------------------------
2.2.1. Beginning
The first IPv6 related network code was added to the Linux kernel 2.1.8 in
November 1996 by Pedro Roque. It was based on the BSD API:
diff -u --recursive --new-file v2.1.7/linux/include/linux/in6.h
<EFBFBD> linux/include/linux/in6.h
--- v2.1.7/linux/include/linux/in6.h Thu Jan 1 02:00:00 1970
+++ linux/include/linux/in6.h Sun Nov 3 11:04:42 1996
@@ -0,0 +1,99 @@
+/*
+ * Types and definitions for AF_INET6
+ * Linux INET6 implementation
+ * + * Authors:
+ * Pedro Roque <******>
+ *
+ * Source:
+ * IPv6 Program Interfaces for BSD Systems
+ * <draft-ietf-ipngwg-bsd-api-05.txt>
The shown lines were copied from patch-2.1.8 (e-mail address was blanked on
copy&paste).
-----------------------------------------------------------------------------
2.2.2. In between
Because of lack of manpower, the IPv6 implementation in the kernel was unable
to follow the discussed drafts or newly released RFCs. In October 2000, a
project was started in Japan, called [http://www.linux-ipv6.org/] USAGI,
whose aim was to implement all missing, or outdated IPv6 support in Linux. It
tracks the current IPv6 implementation in FreeBSD made by the [http://
www.kame.net/] KAME project. From time to time they create snapshots against
current vanilla Linux kernel sources.
-----------------------------------------------------------------------------
2.2.3. Current
Unfortunately, the [http://www.linux-ipv6.org/] USAGI patch is so big, that
current Linux networking maintainers are unable to include it in the
production source of the Linux kernel 2.4.x series. Therefore the 2.4.x
series is missing some (many) extensions and also does not confirm to all
current drafts and RFCs (see [http://www.ietf.org/html.charters/
ipv6-charter.html] IP Version 6 Working Group (ipv6) Charter). This can cause
some interoperability problems with other operating systems.
-----------------------------------------------------------------------------
2.2.4. Future
[http://www.linux-ipv6.org/] USAGI is now making use of the new Linux kernel
development series 2.5.x to insert all of their current extensions into this
development release. Hopefully the 2.6.x kernel series will contain a true
and up-to-date IPv6 implementation.
-----------------------------------------------------------------------------
</sect1 id="IPv6">
<sect1 id="STRIP">
<title>STRIP</title>
<para>
STRIP (Starnode Radio IP) is a protocol designed specifically for
a range of Metricom radio modems for a research project being
conducted by Stanford University called the MosquitoNet Project.
There is a lot of interesting reading here, even if you aren't
directly interested in the project.
</para>
<para>
The Metricom radios connect to a serial port, employ spread spectrum
technology and are typically capable of about 100kbps. Information on
the Metricom radios is available from the: Metricom Web Server.
</para>
<para>
At present the standard network tools and utilities do not support the
STRIP driver, so you will have to download some customized tools from
the MosquitoNet web server. Details on what software you need is
available at the: MosquitoNet STRIP Page.
</para>
<para>
A summary of configuration is that you use a modified slattach program
to set the line discipline of a serial tty device to STRIP and then
configure the resulting `st[0-9]' device as you would for ethernet
with one important exception, for technical reasons STRIP does not
support the ARP protocol, so you must manually configure the ARP
entries for each of the hosts on your subnet. This shouldn't prove too
onerous. STRIP device names are `st0', `st1', etc.... The relevant
kernel compilation options are given below.
</para>
<para>
<screen>
Kernel Compile Options:
Network device support --->
[*] Network device support
....
[*] Radio network interfaces
< > STRIP (Metricom starmode radio IP)
</screen>
</para>
</sect1 id="STRIP">
<sect1 id="WaveLAN">
<title>WaveLAN</title>
<para>
The WaveLAN card is a spread spectrum wireless lan card. The card
looks very like an ethernet card in practice and is configured in much
the same way.
</para>
<para>
You can get information on the Wavelan card from wavelan.com.
</para>
<para>
Wavelan device names are `eth0', `eth1', etc.
<para>
<screen>
Kernel Compile Options:
Network device support --->
[*] Network device support
....
[*] Radio network interfaces
....
<*> WaveLAN support
</screen>
</para>
</sect1 id="WaveLAN">
<sect1 id="ISDN">
<title>ISDN</title>
<para>
The Integrated Services Digital Network (ISDN) is a series of
standards that specify a general purpose switched digital data
network. An ISDN `call' creates a synchronous point to point data
service to the destination. ISDN is generally delivered on a high
speed link that is broken down into a number of discrete channels.
There are two different types of channels, the `B Channels' which will
actually carry the user data and a single channel called the `D
channel' which is used to send control information to the ISDN
exchange to establish calls and other functions. In Australia for
example, ISDN may be delivered on a 2Mbps link that is broken into 30
discrete 64kbps B channels with one 64kbps D channel. Any number of
channels may be used at a time and in any combination. You could for
example establish 30 separate calls to 30 different destinations at
64kbps each, or you could establish 15 calls to 15 different
destinations at 128kbps each (two channels used per call), or just a
small number of calls and leave the rest idle. A channel may be used
for either incoming or outgoing calls. The original intention of ISDN
was to allow Telecommunications companies to provide a single data
service which could deliver either telephone (via digitised voice) or
data services to your home or business without requiring you to make
any special configuration changes.
</para>
<para>
There are a few different ways to connect your computer to an ISDN
service. One way is to use a device called a `Terminal Adaptor' which
plugs into the Network Terminating Unit that you telecommunications
carrier will have installed when you got your ISDN service and
presents a number of serial interfaces. One of those interfaces is
used to enter commands to establish calls and configuration and the
others are actually connected to the network devices that will use the
data circuits when they are established. Linux will work in this sort
of configuration without modification, you just treat the port on the
Terminal Adaptor like you would treat any other serial device.
Another way, which is the way the kernel ISDN support is designed for
allows you to install an ISDN card into your Linux machine and then
has your Linux software handle the protocols and make the calls
itself.
</para>
<para>
The Linux kernel has built-in ISDN capabilies. Isdn4linux controls
ISDN PC cards and can emulate a modem with the Hayes command set ("AT"
commands). The possibilities range from simply using a terminal
program to connections via HDLC (using included devices) to full
connection to the Internet with PPP to audio applications.
<EFBFBD> FAQ for isdn4linux: http://ww.isdn4linux.de/faq/
</para>
<para>
<screen>
Kernel Compile Options:
ISDN subsystem --->
<*> ISDN support
[ ] Support synchronous PPP
[ ] Support audio via ISDN
< > ICN 2B and 4B support
< > PCBIT-D support
< > Teles/NICCY1016PC/Creatix support
</screen>
</para>
<para>
The Linux implementation of ISDN supports a number of different types
of internal ISDN cards. These are those listed in the kernel
configuration options:
</para>
<20> ICN 2B and 4B
<20> Octal PCBIT-D
<20> Teles ISDN-cards and compatibles
<para>
Some of these cards require software to be downloaded to them to make
them operational. There is a separate utility to do this with.
</para>
<para>
Full details on how to configure the Linux ISDN support is available
from the /usr/src/linux/Documentation/isdn/ directory and an FAQ
dedicated to isdn4linux is available at www.lrz-muenchen.de. (You can
click on the english flag to get an english version).
</para>
<para>
A note about PPP. The PPP suite of protocols will operate over either
asynchronous or synchronous serial lines. The commonly distributed PPP
daemon for Linux `pppd' supports only asynchronous mode. If you wish
to run the PPP protocols over your ISDN service you need a specially
modified version. Details of where to find it are available in the
documentation referred to above.
</para>
</sect1 id="ISDN">
<sect1 id="NIS">
<title>NIS</title>
<para>
The Network Information Service (NIS) provides a simple network lookup
service consisting of databases and processes. Its purpose is to
provide information that has to be known throughout the network to all
machines on the network. For example, it enables an administrator to
allow users access to any machine in a network running NIS without a
password entry existing on each machine; only the main database needs
to be maintained.
</para>
</sect1 id="NIS">
<sect1 id="Services">
<title>Services</title>
<para>
</para>
</sect1 id="Services">
<sect1 id="Database">
<title>Database</title>
<para>
Most databases are supported under Linux, including Oracle, DB2, Sybase, Informix, MySQL, PostgreSQL,
InterBase and Paradox. Databases, and the Structures Query Language they work with, are complex, and this
chapter has neither the space or depth to deal with them. Read the next section on PHP to learn how to set
a dynamically generated Web portal in about five minutes.
We'll be using MySQL because it's extremely fast, capable of handling large databases (200G databases aren't
unheard of), and has recently been made open source. It also works well with PHP. While currently
lacking transaction support (due to speed concerns), a future version of MySQL will have this opt
</para>
* Connecting to MS SQL 6.x+ via Openlink/PHP/ODBC mini-HOWTO
* Sybase Adaptive Server Anywhere for Linux HOWTO
</sect1 id="Database">
<sect1 id="DHCP">
<title>DHCP</title>
<para>
Endeavouring to maintain static IP addressing to maintain static IP addressing
information, such as IP addresses, subnet masks, DNS names and other
information on client machines can be difficult. Documentation becomes lost or
out-of-date, and network reconfigurations require details to be modified
manually on every machine.
</para>
<para>
DHCP (Dynamic Host Configuration Protocol) solves this problem by providing
arbitrary information (including IP addressing) to clients upon request.
Almost all client OSes support it and it is standard in most large networks.
</para>
<para>
The impact that it has is most prevalent it eases network administration,
especially in large networks or networks which have lots of mobile users.
</para>
2. DHCP protocol
DHCP (Dynamic Host Configuration Protocol), is used to control
vital networking parameters of hosts (running clients) with the help
of a server. DHCP is backward compatible with BOOTP. For more
information see RFC 2131 (old RFC 1541) and other. (See Internet
Resources section at the end of the document). You can also read
[32]http://web.syr.edu/~jmwobus/comfaqs/dhcp.faq.html.
</sect1 id="DHCP">
<sect1 id="DNS">
<title>DNS</title>
Setting Up Your New Domain Mini-HOWTO.
</sect1 id="DNS">
<sect1 id="FTP">
<title>FTP</title>
<para>
File Transport Protocol (FTP) is an efficient way to transfer files between
machines across networks and clients and servers exist for almost all platforms
making FTP the most convenient (and therefore popular) method of transferring
files. FTP was first developed by the University of California, Berkeley for
inclusion in 4.2BSD (Berkeley Unix). The RFC (Request for Comments)
documents for the protocol is now known as RFC 959 and is available at
ftp://nic.merit.edu/documents/rfc/rfc0959.txt.
</para>
<para>
There are two typical modes of running an FTP server - either anonymously or
account-based. Anonymous FTP servers are by far the most popular; they allow
any machine to access the FTP server and the files stored on it with the same
permissions. No usernames or passwords are transmitted down the wire.
Account-based FTP allows users to login with real usernames and passwords.
While it provides greater access control than anonymous FTP, transmitting real
usernames and password unencrypted over the Internet is generally avoided for
security reasons.
</para>
<para>
An FTP client is the userland application that provides access to FTP
servers. There are many FTP clients available. Some are graphical, and
some are text-based.
</para>
* FTP HOWTO
</sect1 id="FTP">
<sect1 id="LDAP">
<title>LDAP</title>
Information about installing, configuring, running and maintaining a LDAP
(Lightweight Directory Access Protocol) Server on a Linux machine is
presented on this section. This section also presents details about how to
create LDAP databases, how to add, how to update and how to delete
information on the directory. This paper is mostly based on the University of
Michigan LDAP information pages and on the OpenLDAP Administrator's Guide.
</sect1 id="LDAP">
<sect1 id="NFS">
<title>NFS</title>
NFS (Network File System)
The TCP/IP suite's equivalent of file sharing. This protocol operates at the Process/Application
layer of the DOD model, similar to the application layer of the OSI model.
SLIP (Serial Line Internet Protocol) and PPP (Point-to-Point Protocol)
Two protocols commonly used for dial-up access to the Internet. They are typically used with
TCP/IP; while SLIP works only with TCP/IP, PPP can be used with other protocols.
SLIP was the first protocol for dial-up Internet access. It opeates at the physical layer of the
OSI model, and provides a simple interface to a UNIX or other dial-up host for Internet access.
SLIP does not provide security, so authentication is handled through prompts before initiating
the SLIP connection.
PPP is a more recent development. It operates at the physical and data link layers of the OSI
model. In addition to the features of SLIP, PPP supports data compression, security (authentication),
and error control. PPP can also dynamically assign network addresses.
Since PPP provides easier authentication and better security, it should be used for dial-up connections
whenever possible. However, you may need to use SLIRP to communicate with dial-up servers (particularly
older UNIC machines and dedicated hardware servers) that don't support PPP.
> Start Config-HOWTO
2.15. Automount Points
If you don't like the mounting/unmounting thing, consider using autofs(5). You tell the autofs daemon what to automount and where starting with a file, /etc/auto.master. Its structure is simple:
/misc/etc/auto.misc
/mnt/etc/auto.mnt
In this example you tell autofs to automount media in /misc and /mnt, while the mountpoints are specified in/etc/auto.misc and /etc/auto.mnt. An example of /etc/auto.misc:
# an NFS export
server -romy.buddy.net:/pub/export
# removable media
cdrom -fstype=iso9660,ro:/dev/hdb
floppy-fstype=auto:/dev/fd0
Start the automounter. From now on, whenever you try to access the inexistent mount point /misc/cdrom, il will be created and the CD-ROM will be mounted.
>End Config-HOWTO
5.4. Unix Environment
The preferred way to share files in a Unix networking environment is
through NFS. NFS stands for Network File Sharing and it is a protocol
originally developed by Sun Microsystems. It is a way to share files
between machines as if they were local. A client "mounts" a filesystem
"exported" by an NFS server. The mounted filesystem will appear to the
client machine as if it was part of the local filesystem.
It is possible to mount the root filesystem at startup time, thus
allowing diskless clients to boot up and access all files from a
server. In other words, it is possible to have a fully functional
computer without a hard disk.
Coda is a network filesystem (like NFS) that supports disconnected
operation, persistant caching, among other goodies. It's included in
2.2.x kernels. Really handy for slow or unreliable networks and
laptops.
NFS-related documents:
<20> http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root.html
<20> http://metalab.unc.edu/mdw/HOWTO/Diskless-HOWTO.html
<20> http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root-Client-mini-
HOWTO/index.html
<20> http://www.redhat.com/support/docs/rhl/NFS-Tips/NFS-Tips.html
<20> http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
CODA can be found at: http://www.coda.cs.cmu.edu/
<para>
5.4. Unix Environment
The preferred way to share files in a Unix networking environment is
through NFS. NFS stands for Network File Sharing and it is a protocol
originally developed by Sun Microsystems. It is a way to share files
between machines as if they were local. A client "mounts" a filesystem
"exported" by an NFS server. The mounted filesystem will appear to the
client machine as if it was part of the local filesystem.
It is possible to mount the root filesystem at startup time, thus
allowing diskless clients to boot up and access all files from a
server. In other words, it is possible to have a fully functional
computer without a hard disk.
Coda is a network filesystem (like NFS) that supports disconnected
operation, persistant caching, among other goodies. It's included in
2.2.x kernels. Really handy for slow or unreliable networks and
laptops.
NFS-related documents:
<20> http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root.html
<20> http://metalab.unc.edu/mdw/HOWTO/Diskless-HOWTO.html
<20> http://metalab.unc.edu/mdw/HOWTO/mini/NFS-Root-Client-mini-
HOWTO/index.html
<20> http://www.redhat.com/support/docs/rhl/NFS-Tips/NFS-Tips.html
<20> http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
CODA can be found at: http://www.coda.cs.cmu.edu/
Samba is the Linux implementation of SMB under Linux. NFS is the Unix equivalent - a way to import and
export local files to and from remote machines. Like SMB, NFS sends information including user
passwords unencrypted, is its best to limit it to within your local network.
As you know, all storage in Linux is visible within a single tree structure, and new hard disks,
CD-ROMs, Zip drives and other spaces are mounted on a particular directory. NFS shares are also
attached to the system in this manner. NFS is included in most Linux kernels, and the tools
necessary to be an NFS server and client come in most distributions.
However, users of Linux kernel 2.2 hoping to use NFS may wish to upgrade to
kernel 2.4; while the earlier version of Linux NFS did work well, it was far slower than
most other Unix implementations of this protocol.
>Start Config-HOWTO
2.15. Automount Points
If you don't like the mounting/unmounting thing, consider using autofs(5). You tell the autofs daemon what to automount and where starting with a file, /etc/auto.master. Its structure is simple:
/misc/etc/auto.misc
/mnt/etc/auto.mnt
In this example you tell autofs to automount media in /misc and /mnt, while the mountpoints are specified in/etc/auto.misc and /etc/auto.mnt. An example of /etc/auto.misc:
# an NFS export
server -romy.buddy.net:/pub/export
# removable media
cdrom -fstype=iso9660,ro:/dev/hdb
floppy-fstype=auto:/dev/fd0
Start the automounter. From now on, whenever you try to access the inexistent mount point /misc/cdrom, il will be created and the CD-ROM will be mounted.
>End Config-HOWTO
> Linux NFS-HOWTO
> NFS-Root mini-HOWTO
> NFS-Root-Client Mini-HOWTO
> The Linux NIS(YP)/NYS/NIS+ HOWTO
</para>
Linux NFS-HOWTO
2. Introduction
2.1. What is NFS?
The Network File System (NFS) was developed to allow machines to mount a disk
partition on a remote machine as if it were on a local hard drive. This
allows for fast, seamless sharing of files across a network.
It also gives the potential for unwanted people to access your hard drive
over the network (and thereby possibly read your email and delete all your
files as well as break into your system) if you set it up incorrectly. So
please read the Security section of this document carefully if you intend to
implement an NFS setup.
There are other systems that provide similar functionality to NFS. Samba
([http://www.samba.org] http://www.samba.org) provides file services to
Windows clients. The Andrew File System from IBM ([http://www.transarc.com/
Product/EFS/AFS/index.html] http://www.transarc.com/Product/EFS/AFS/
index.html), recently open-sourced, provides a file sharing mechanism with
some additional security and performance features. The Coda File System
([http://www.coda.cs.cmu.edu/] http://www.coda.cs.cmu.edu/) is still in
development as of this writing but is designed to work well with disconnected
clients. Many of the features of the Andrew and Coda file systems are slated
for inclusion in the next version of NFS (Version 4) ([http://www.nfsv4.org]
http://www.nfsv4.org). The advantage of NFS today is that it is mature,
standard, well understood, and supported robustly across a variety of
platforms.
</sect1 id="NFS">
<sect1 id="Samba">
8.11. SAMBA - `NetBEUI', `NetBios', `CIFS' support.
SAMBA is an implementation of the Session Management Block protocol.
Samba allows Microsoft and other systems to mount and use your disks
and printers.
SAMBA and its configuration are covered in detail in the SMB-HOWTO.
5.2. Windows Environment
Samba is a suite of applications that allow most Unices (and in
particular Linux) to integrate into a Microsoft network both as a
client and a server. Acting as a server it allows Windows 95, Windows
for Workgroups, DOS and Windows NT clients to access Linux files and
printing services. It can completely replace Windows NT for file and
printing services, including the automatic downloading of printer
drivers to clients. Acting as a client allows the Linux workstation to
mount locally exported windows file shares.
According to the SAMBA Meta-FAQ:
"Many users report that compared to other SMB implementations Samba is more stable,
faster, and compatible with more clients. Administrators of some large installations say
that Samba is the only SMB server available which will scale to many tens of thousands
of users without crashing"
<20> Samba project home page <http://samba.anu.edu.au/samba/>
<20> SMB HOWTO <http://metalab.unc.edu/mdw/HOWTO/SMB-HOWTO.html>
<20> Printing HOWTO <http://metalab.unc.edu/mdw/HOWTO/Printing-
HOWTO.html>
<glossentry>
<glossterm>
samba
</glossterm>
<glossdef>
<para>
A LanManager like file and printer server for Unix. The Samba software suite is a collection of programs that implements the SMB protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol. This package contains all the components necessary to turn your Debian GNU/Linux box into a powerful file and printer server. Currently, the Samba Debian packages consist of the following: samba - A LanManager like file and printer server for Unix. samba-common - Samba common files used by both the server and the client. smbclient - A LanManager like simple client for Unix. swat - Samba Web Administration Tool samba-doc - Samba documentation. smbfs - Mount and umount commands for the smbfs (kernels 2.0.x and above). libpam-smbpass - pluggable authentication module for SMB password database libsmbclient - Shared library that allows applications to talk to SMB servers libsmbclient-dev - libsmbclient shared libraries winbind: Service to resolve user and group information from Windows NT servers It is possible to install a subset of these packages depending on your particular needs. For example, to access other SMB servers you should only need the smbclient and samba-common packages. From Debian 3.0r0 APT
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>
Samba
</glossterm>
<glossdef>
<para>
A lot of emphasis has been placed on peaceful coexistence between UNIX and Windows. Unfortunately, the two systems come from very different cultures and they have difficulty getting along without mediation. ...and that, of course, is Samba&apos;s job. Samba &lt;http://samba.org/&gt; runs on UNIX platforms, but speaks to Windows clients like a native. It allows a UNIX system to move into a Windows ``Network Neighborhood&apos;&apos; without causing a stir. Windows users can happily access file and print services without knowing or caring that those services are being offered by a UNIX host. All of this is managed through a protocol suite which is currently known as the ``Common Internet File System,&apos;&apos; or CIFS &lt;http://www.cifs.com&gt;. This name was introduced by Microsoft, and provides some insight into their hopes for the future. At the heart of CIFS is the latest incarnation of the Server Message Block (SMB) protocol, which has a long and tedious history. Samba is an open source CIFS implementation, and is available for free from the http://samba.org/ mirror sites. Samba and Windows are not the only ones to provide CIFS networking. OS/2 supports SMB file and print sharing, and there are commercial CIFS products for Macintosh and other platforms (including several others for UNIX). Samba has been ported to a variety of non-UNIX operating systems, including VMS, AmigaOS, and NetWare. CIFS is also supported on dedicated file server platforms from a variety of vendors. In other words, this stuff is all over the place. From Rute-Users-Guide
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>
Samba
</glossterm>
<glossdef>
<para>
Samba adds Windows-networking support to UNIX. Whereas NFS is the most popular protocol for sharing files among UNIX machines, SMB is the most popular protocol for sharing files among Windows machines. The Samba package adds the ability for UNIX systems to interact with Windows systems. Key point: The Samba package comprises the following: smbd The Samba service allowing other machines (often Windows) to read files from a UNIX machine. nmbd Provides support for NetBIOS. Logically, the SMB protocol is layered on top of NetBIOS, which is in turn layered on top of TCP/IP. smbmount An extension to the mount program that allows a UNIX machine to connect to another machine implicitly. Files can be accessed as if they were located on the local machines. smbclient Allows files to be access through SMB in an explicity manner. This is a command-line tool much like the FTP tool that allows files to be copied. Unlike smbmount, files cannot be accessed as if they were local. smb.conf The configuration file for Samba. From Hacking-Lexicon
<ulink url="http://www.tldp.org/LDP/Linux-Dictionary/html/index.html">http://www.tldp.org/LDP/Linux-Dictionary/html/index.html</ulink>
</para>
</glossdef>
</glossentry>
Samba Authenticated Gateway HOWTO
Ricardo Alexandre Mattar
v1.2, 2004-05-21
</sect1 id="SAMBA">
<sect1 id="SSH">
<title>SSH</title>
<para>
The Secure Shell, or SSH, provides a way of running command line and
graphical applications, and transferring files, over an encrypted
connection. SSH uses up to 2,048-bit encryption with a variety of
cryptographic schemes to make sure that if a cracker intercepts your
connection, all they can see is useless gibberish. It is both a
protocol and a suite of small command line applications which can be
used for various functions.
</para>
<para>
SSH replaces the old Telnet application, and can be used for secure
remote administration of machines across the Internet. However, it
has more features.
</para>
<para>
SSH increases the ease of running applications remotely by setting up
permissions automatically. If you can log into a machine, it allows you
to run a graphical application on it, unlike Telnet, which requires users
to type lots of geeky xhost and xauth commands. SSH also has inbuild
compression, which allows your graphic applications to run much faster
over the network.
</para>
<para>
SCP (Secure Copy) and SFTP (Secure FTP) allow transfer of files over the
remote link, either via SSH's own command line utilities or graphical tools
like Gnome's GFTP. Like Telnet, SSH is cross-platform. You can find SSH
servers and clients for Linux, Unix, all flavours of Windows, BeOS, PalmOS,
Java and Embedded OSes used in routers.
</para>
<para>
Encrypted remote shell sessions are available through SSH
(http://www.ssh.fi/sshprotocols2/index.html
<http://www.ssh.fi/sshprotocols2/index.html>) thus effectively
allowing secure remote administration.
</para>
</sect1 id="SSH">
<sect1 id="Telnet">
<title>Telnet</title>
<para>
Created in the early 1970s, Telnet provides a method of running command
line applications on a remote computer as if that person were actually at
the remote site. Telnet is one of the most powerful tools for Unix, allowing
for true remote administration. It is also an interesting program from the
point of view of users, because it allows remote access to all their files
and programs from anywhere in the Internet. Combined with an X server (as
well as some rather arcane manipluation of authentication 'cookies' and
'DISPLAY' environment variables), there is no difference (apart from the
delay) between being at the console or on the other side of the planet.
However, since the 'telnet' protocol sends data 'en-clair' and there are
now more efficient protocols with features such as built-in
compression and 'tunneling' which allows for greater ease of usage of graphical
applications across the network as well as more secure connections it is an
effectively a dead protocol. Like the 'r' (such as rlogin and rsh) related
protocols it is still used though, within internal networks for the reasons
of ease of installation and use as well as backwards compatibility and also
as a means by which to configure networking devices such as routers
and firewalls.
</para>
<para>
Please consult RFC 854 for further details behind its implementation.
</para>
<para>
<20> Telnet related software
<http://metalab.unc.edu/pub/Linux/system/network/telnet/>
</para>
</sect1 id="Telnet">
<sect1 id="TFTP">
<title>TFTP</title>
<para>
Trivial File Transfer Protocol TFTP is a bare-bones protocol used by
devices that boot from the network. It is runs on top of UDP, so it
doesn&apos;t require a real TCP/IP stack. Misunderstanding: Many people
describe TFTP as simply a trivial version of FTP without authentication.
This misses the point. The purpose of TFTP is not to reduce the complexity
of file transfer, but to reduce the complexity of the underlying TCP/IP
stack so that it can fit inside boot ROMs. Key point: TFTP is almost
always used with BOOTP. BOOTP first configures the device, then TFTP
transfers the boot image named by BOOTP which is then used to boot the
device. Key point: Many systems come with unnecessary TFTP servers. Many
TFTP servers have bugs, like the backtracking problem or buffer overflows.
As a consequence, many systems can be exploited with TFTP even though
virtually nobody really uses it. Key point: A TFTP file transfer client
is built into many operating systems (UNIX, Windows, etc....). These clients
are often used to download rootkits when being broken into. Therefore,
removing the TFTP client should be part of your hardening procedure.
For further details on the TFTP protocol please see RFC's 1350, 1782,
1783, 1784, and 1785.
</para>
<para>
Most likely, you'll interface with the TFTP protocol using the TFTP command
line client, 'tftp', which allows users to transfer files to and from a
remote machine. The remote host may be specified on the command line, in
which case tftp uses host as the default host for future transfers.
</para>
<para>
Setting up TFTP is almost as easy as DHCP.
First install from the rpm package:
<screen>
# rpm -ihv tftp-server-*.rpm
</screen>
</para>
<para>
Create a directory for the files:
<screen>
# mkdir /tftpboot
# chown nobody:nobody /tftpboot
</screen>
</para>
<para>
The directory /tftpboot is owned by user nobody, because this is the default
user id set up by tftpd to access the files. Edit the file /etc/xinetd.d/tftp
to look like the following:
</para>
<para>
<screen>
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /tftpboot
disable = no
per_source = 11
cps = 100 2
}
</screen>
</para>
<para>
The changes from the default file are the parameter disable = no (to enable
the service) and the server argument -c. This argument allows for the
creation of files, which is necessary if you want to save boot or disk
images. You may want to make TFTP read only in normal operation.
</para>
<para>
Then reload xinetd:
<screen>
/etc/rc.d/init.d/xinetd reload
</screen>
</para>
<para>
You can use the tftp command, available from the tftp (client) rpm package,
to test the server. At the tftp prompt, you can issue the commands put and
get.
</para>
</sect1 id="TFTP">
<sect1 id="VNC">
<title>VNC</title>
8.13. Tunnelling, mobile IP and virtual private networks
The Linux kernel allows the tunnelling (encapsulation) of protocols.
It can do IPX tunnelling through IP, allowing the connection of two
IPX networks through an IP only link. It can also do IP-IP tunnelling,
which it is essential for mobile IP support, multicast support and
amateur radio. (see
http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.8)
Mobile IP specifies enhancements that allow transparent routing of IP
datagrams to mobile nodes in the Internet. Each mobile node is always
identified by its home address, regardless of its current point of
attachment to the Internet. While situated away from its home, a
mobile node is also associated with a care-of address, which provides
information about its current point of attachment to the Internet.
The protocol provides for registering the care-of address with a home
agent. The home agent sends datagrams destined for the mobile node
through a tunnel to the care-of address. After arriving at the end of
the tunnel, each datagram is then delivered to the mobile node.
Point-to-Point Tunneling Protocol (PPTP) is a networking technology
that allows the use of the Internet as a secure virtual private
network (VPN). PPTP is integrated with the Remote Access Services
(RAS) server which is built into Windows NT Server. With PPTP, users
can dial into a local ISP, or connect directly to the Internet, and
access their network as if they were at their desks. PPTP is a closed
protocol and its security has recently being compromised. It is highly
recomendable to use other Linux based alternatives, since they rely on
open standards which have been carefully examined and tested.
<20> A client implementation of the PPTP for Linux is available here
<http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/>
<20> More on Linux PPTP can be found here
<http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html>
Mobile IP:
<20> http://www.hpl.hp.com/personal/Jean_Tourrilhes/MobileIP/mip.html
<20> http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.12
Virtual Private Networks related documents:
<20> http://metalab.unc.edu/mdw/HOWTO/mini/VPN.html
<20> http://sites.inka.de/sites/bigred/devel/cipe.html
7.4. VNC
VNC stands for Virtual Network Computing. It is, in essence, a remote
display system which allows one to view a computing 'desktop'
environment not only on the machine where it is running, but from
anywhere on the Internet and from a wide variety of machine
architectures. Both clients and servers exist for Linux as well as for
many other platforms. It is possible to execute MS-Word in a Windows
NT or 95 machine and have the output displayed in a Linux machine. The
opposite is also true; it is possible to execute an application in a
Linux machine and have the output displayed in any other Linux or
Windows machine. One of the available clients is a Java applet,
allowing the remote display to be run inside a web browser. Another
client is a port for Linux using the SVGAlib graphics library,
allowing 386s with as little as 4 MB of RAM to become fully functional
X-Terminals.
<20> VNC web site <http://www.orl.co.uk/vnc/>
<para>
Virtual Network Computing (VNC) allows a user to operate a session running on another machine.
Although Linux and all other Unix-like OSes already have this functionality built in, VNC
provides further advantages because it's cross-platform, running on Linux, BSD, Unix, Win32,
MacOS, and PalmOS. This makes it far more versatile.
For example, let's assume the machine that you are attempting to connect to is running Linux.
You can use VNC to access applications running on that other Linux desktop. You can also use
VNC to provide technical support to users on Window's based machines by taking control of
their desktops from the comfort of your server room. VNC is usually installed as seperate
packages for the client and server, typically named 'vnc' and 'vnc-server'.
VNC uses screen numbers to connect clients to servers. This is because Unix machines allow
multiple graphical sessions to be stated simultaneously (check this out by logging in to a
virtual terminal and typing startx -- :1).
For platforms (Windows, MacOS, Palm, etc) which don't have this capability, you'll connect
to 'screen 0' and take over the session of the existing user. For Unix systems, you'll need
to specify a higher number and receive a new desktop.
If you prefer the Windows-style approach where the VNC client takes over the currently
running display, you can use x0rfbserver - see the sidebox below.
VNC Servers and Clients
On Linux, the VNC server (which allows the machine to be used remotely) is actually
run as a replacement X server. To be able to start a VNC session to a machine, log
into it and run vncserver. You'll be prompted for a password - in future you can
change this password with the vncpasswd command. After you enter the password, you'll
be told the display number of the newly created machine.
It is possible to control a remote macine by using the vncviewer command. If it is
typed on its own it will prompt for a remote machine, or you can use:
vncviewer [host]:[screen-number]
> The VPN HOWTO, deprecated!!!!
> VPN HOWTO
> Linux VPN Masquerade HOWTO
</para>
10. References
10.1. Web Sites
Cipe Home Page <http://sites.inka.de/~bigred/devel/cipe.html>
Masq Home Page <http://ipmasq.cjb.net>
Samba Home Page <http://samba.anu.edu.au>
Linux HQ <http://www.linuxhq.com> ---great site for lots of linux
info
10.2. Documentation
cipe.info: info file included with cipe distribution
Firewall HOWTO, by Mark Grennan, markg@netplus.net
IP Masquerade mini-HOWTO,by Ambrose Au, ambrose@writeme.com
IPChains-Howto, by Paul Russell, Paul.Russell@rustcorp.com.au
</sect1 id="VNC">
<sect1 id="Web-Serving">
<title>Web-Serving</title>
<para>
The World Wide Web provides a simple method of publishing and linking
information across the Internet, and is responsible for popularising
the Internet to its current level. In the simplest case, a Web client
(or browser), such as Netscape or Internet Explorer, connects with a
Web server using a simple request/response protocol called HTTP
(Hypertext Transfer Protocol), and requests HTML (Hypertext Markup
Language) pages, images, Flash and other objects.
</para>
<para>
In mode modern situations, the Web server can also geneate pages
dynamically based on information returned from the user. Either way
setting up your own Web server is extremely simple. There are many
choices for Web serving under Linux. Some servers are very mature,
such as Apache, and are perfect for small and large sites alike.
Other servers programmed to be light and fast, and to have only a
limited feature set to reduce complexity. A search on freshmeat.net
will reveal a multitude of servers.
</para>
<para>
Most Linux distributions include Apache <http://www.apache.org>.
Apache is the number one server on the internet according to
http://www.netcraft.co.uk/survey/ . More than a half of all internet
sites are running Apache or one of it derivatives. Apache's advantages
include its modular design, stability and speed. Given the appropriate
hardware and configuration it can support the highest loads: Yahoo,
Altavista, GeoCities, and Hotmail are based on customized versions of
this server.
</para>
<para>
Optional support for SSL (which enables secure transactions) is also
available at:
</para>
<20> http://www.apache-ssl.org/
<20> http://raven.covalent.net/
<20> http://www.c2.net/
Dynamic Web content generation
<para>
Web scripting languages are even more common on Linux than databases
- basically, every language is available. This includes CGI,
PHP 3 and 4, Perl, JSP, ASP (via closed source applications from
Chill!soft and Halycon Software) and ColdFusion.
</para>
<para>
PHP is an open source scripting language designed to churn out
dynamically produced Web content ranging from databases to browsers.
This inludes not only HTML, but also graphics, Macromedia Flash and
XML-based information. The latest versions of PHP provide impressive
speed improvements, install easily from packages and can be set up
quickly. PHP is the most popular Apache module and is used by over
two million sites, including Amazon.com, US telco giant Sprint,
Xoom Networks and Lycos. And unlike most other server side scripting
languages, developers (or those that employ them) can add their own
functions into the source to improve it. Supported databases include
those in the Database serving section and most ODBC compliant
databases. The language itself borrows its structure from Perl and C.
</para>
<20> http://metalab.unc.edu/mdw/HOWTO/WWW-HOWTO.html
<20> http://metalab.unc.edu/mdw/HOWTO/Virtual-Services-HOWTO.html
<20> http://metalab.unc.edu/mdw/HOWTO/Intranet-Server-HOWTO.html
<20> Web servers for Linux
<http://www.linuxlinks.com/Software/Internet/WebServers/>
</sect1 id="Web-Serving">
<sect1 id="X11">
<title>X11</title>
<para>
The X Window System was developed at MIT in the late 1980s, rapidly
becoming the industry standard windowing system for Unix graphics
workstations. The software is freely available, very versatile, and is
suitable for a wide range of hardware platforms. Any X environment
consists of two distinct parts, the X server and one or more X
clients. It is important to realise the distinction between the server
and the client. The server controls the display directly and is
responsible for all input/output via the keyboard, mouse or display.
The clients, on the other hand, do not access the screen directly -
they communicate with the server, which handles all input and output.
It is the clients which do the "real" computing work - running
applications or whatever. The clients communicate with the server,
causing the server to open one or more windows to handle input and
output for that client.
</para>
<para>
In short, the X Window System allows a user to log in into a remote
machine, execute a process (for example, open a web browser) and have
the output displayed on his own machine. Because the process is
actually being executed on the remote system, very little CPU power is
needed in the local one. Indeed, computers exist whose primary purpose
is to act as pure X servers. Such systems are called X terminals.
</para>
<para>
A free port of the X Window System exists for Linux and can be found
at: Xfree <http://www.xfree86.org/>. It is included in most Linux
distributions.
<para>
<para>
For further information regarding X please see:
</para>
X11, LBX, DXPC, NXServer, SSH, MAS
Related HOWTOs:
<EFBFBD> Remote X Apps HOWTO
<EFBFBD> Linux XDMCP HOWTO
<EFBFBD> XDM and X Terminal mini-HOWTO
<EFBFBD> The Linux XFree86 HOWTO
<EFBFBD> ATI R200 + XFree86 4.x mini-HOWTO
<EFBFBD> Second Mouse in X mini-HOWTO
<EFBFBD> Linux Touch Screen HOWTO
<EFBFBD> XFree86 Video Timings HOWTO
<EFBFBD> Linux XFree-to-Xinside mini-HOWTO
<EFBFBD> XFree Local Multi-User HOWTO
<EFBFBD> Using Xinerama to MultiHead XFree86 V. 4.0+
<EFBFBD> Connecting X Terminals to Linux Mini-HOWTO
<EFBFBD> How to change the title of an xterm
<EFBFBD> X Window System Architecture Overview HOWTO
<EFBFBD> The X Window User HOWTO
</sect1 id="X11">
<sect1 id="Email">
<title>Email</title>
<para>
Alongside the Web, mail is the top reason for the popularity of the Internet. Email is an inexpensive and fast method of time-shifted messaging which, much like the Web, is actually based around sending and receiving plain text files. The protocol used is called the Simple Mail Transfer Protocol (SMTP). The server programs that implement SMTP to move mail from one server to another are called Mail Transfer Agents (MTAs).
</para>
<para>
In times gone by, users would Telnet into the SMTP server itself and use a command line program like elm or pine to check ther mail. These days, users run email clients like Netscape, Evolution, Kmail or Outlook on their desktop to check their email off a local SMTP server. Additional protocols like POP3 and IMAP4 are used between the SMTP server and desktop mail client to allow clients to manipulate files on, and download from, their local mail server. The programs that implement POP3 and IMAP4 are called Mail Delivery Agents (MDAs). They are generally separate from MTAs.
</para>
* Linux Mail-Queue mini-HOWTO
* The Linux Mail User HOWTO
</sect1 id="Email-Hosting">
<sect1 id="Proxy-Caching">
8.11. Proxy Server
The term proxy means "to do something on behalf of someone else." In
networking terms, a proxy server computer can act on the behalf of
several clients. An HTTP proxy is a machine that receives requests for
web pages from another machine (Machine A). The proxy gets the page
requested and returns the result to Machine A. The proxy may have a
cache with the requested pages, so if another machine asks for the
same page the copy in the cache will be returned instead. This allows
efficient use of bandwidth resources and less response time. As a side
effect, as client machines are not directly connected to the outside
world this is a way of securing the internal network. A well-
configured proxy can be as effective as a good firewall.
Several proxy servers exist for Linux. One popular solution is the
Apache proxy module. A more complete and robust implementation of an
HTTP proxy is SQUID.
<20> Apache <http://www.apache.org>
<20> Squid <http://squid.nlanr.net/>
<title>Proxy-Caching</title>
<para>
When a web browser retreives information from the Internet, it stores a copy of that information
in a cache on the local machine. When a user requests that information in future, the browser will check to seee if the original source has updated; if not, the browser will simply use the cached version rather than fetch the data again. By doing this, there is less information that needs to be downloadded, which makes the connection seem responsive to users and reduces bandwidth costs. But if there are many browsers accessing the Internet through the same connection, it makes better sense to have a single, centralised cache so that once a single machine has requested some information, the next machine to try and download that information can also access it more quickly. This is the theory behind the proxy cache. Squid is by far the most popular cache used on the Web, and can also be used to accelerate Web serving.
Although Squid is useful for an ISP, large businesses or even a small office can afford to use Squid to speed up transfers and save money, and it can easily be used to the same effect in a home with a few flatmates sharing a cable or ADSL connection.
</para>
Traffic Control HOWTO
ProxyARP Subnetting HOWTO
</sect1 id="Proxy-Caching">
<sect1 id="NTP">
<title>NTP</title>
<para>
Time synchorinisation is generally considered important in the computing
environment. There are a number of reasons why this is important: it makes
sure your scheduled cron tasks on your various servers run well together,
it allows better use of log files between various machines to help
troubleshoot problems, and synchronised, correct logs are also useful if
your servers are ever attacked by crackers (either to report the attempt
to organisations such as AusCERT or in court to use against the bad guys).
Users who have overclocked their machine might also use time synchronisation
techniques to bring the time on their machines back to an accurate figure
at regular intervals, say every 20 minutes of so. This section contains an
overview of time keeping under Linux and some information about NTP, a
protocol which can be used to accurately reset the time across a computer
network.
</para>
2. How Linux Keeps Track of Time
2.1. Basic Strategies
<para>
A Linux system actually has two clocks: One is the battery powered
"Real Time Clock" (also known as the "RTC", "CMOS clock", or "Hardware
clock") which keeps track of time when the system is turned off but is
not used when the system is running. The other is the "system clock"
(sometimes called the "kernel clock" or "software clock") which is a
software counter based on the timer interrupt. It does not exist when
the system is not running, so it has to be initialized from the RTC
(or some other time source) at boot time. References to "the clock" in
the ntpd documentation refer to the system clock, not the RTC.
</para>
<para>
The two clocks will drift at different rates, so they will gradually
drift apart from each other, and also away from the "real" time. The
simplest way to keep them on time is to measure their drift rates and
apply correction factors in software. Since the RTC is only used when
the system is not running, the correction factor is applied when the
clock is read at boot time, using clock(8) or hwclock(8). The system
clock is corrected by adjusting the rate at which the system time is
advanced with each timer interrupt, using adjtimex(8).
</para>
<para>
A crude alternative to adjtimex(8) is to have chron run clock(8) or
hwclock(8) periodically to sync the system time to the (corrected)
RTC. This was recommended in the clock(8) man page, and it works if
you do it often enough that you don't cause large "jumps" in the
system time, but adjtimex(8) is a more elegant solution. Some
applications may complain if the time jumps backwards.
</para>
<para>
The next step up in accuracy is to use a program like ntpd to read the
time periodically from a network time server or radio clock, and
continuously adjust the rate of the system clock so that the times
always match, without causing sudden "jumps" in the system time. If
you always have a network connection at boot time, you can ignore the
RTC completely and use ntpdate (which comes with the ntpd package) to
initialize the system clock from a time server-- either a local server
on a LAN, or a remote server on the internet. But if you sometimes
don't have a network connection, or if you need the time to be
accurate during the boot sequence before the network is active, then
you need to maintain the time in the RTC as well.
</para>
2.2. Potential Conflicts
<para>
It might seem obvious that if you're using a program like ntpd, you
would want to sync the RTC to the (corrected) system clock. But this
turns out to be a bad idea if the system is going to stay shut down
longer than a few minutes, because it interferes with the programs
that apply the correction factor to the RTC at boot time.
</para>
<para>
If the system runs 24/7 and is always rebooted immediately whenever
it's shut down, then you can just set the RTC from the system clock
right before you reboot. The RTC won't drift enough to make a
difference in the time it takes to reboot, so you don't need to know
its drift rate.
</para>
<para>
Of course the system may go down unexpectedly, so some versions of the
kernel sync the RTC to the system clock every 11 minutes if the system
clock has been adjusted by another program. The RTC won't drift enough
in 11 minutes to make any difference, but if the system is down long
enough for the RTC to drift significantly, then you have a problem:
the programs that apply the drift correction to the RTC need to know
*exactly* when it was last reset, and the kernel doesn't record that
information anywhere.
</para>
<para>
Some unix "traditionalists" might wonder why anyone would run a linux
system less than 24/7, but some of us run dual-boot systems with
another OS running some of the time, or run Linux on laptops that have
to be shut down to conserve battery power when they're not being used.
Other people just don't like to leave machines running unattended for
long periods of time (even though we've heard all the arguments in
favor of it). So the "every 11 minutes" feature becomes a bug.
</para>
<para>
This "feature/bug" appears to behave differently in different versions
of the kernel (and possibly in different versions of xntpd and ntpd as
well), so if you're running both ntpd and hwclock you may need to test
your system to see what it actually does. If you can't keep the kernel
from resetting the RTC, you might have to run without a correction
factor on the RTC.
</para>
<para>
The part of the kernel that controls this can be found in
/usr/src/linux-2.0.34/arch/i386/kernel/time.c (where the version
number in the path will be the version of the kernel you're running).
If the variable time_status is set to TIME_OK then the kernel will
write the system time to the RTC every 11 minutes, otherwise it leaves
the RTC alone. Calls to adjtimex(2) (as used by ntpd and timed, for
example) may turn this on. Calls to settimeofday(2) will set
time_status to TIME_UNSYNC, which tells the kernel not to adjust the
RTC. I have not found any real documentation on this.
</para>
<para>
I've heard reports that some versions of the kernel may have problems
with "sleep modes" that shut down the CPU to save energy. The best
solution is to keep your kernel up to date, and refer any problems to
the people who maintain the kernel.
</para>
<para>
If you get bizarre results from the RTC you may have a hardware
problem. Some RTC chips include a lithium battery that can run down,
and some motherboards have an option for an external battery (be sure
the jumper is set correctly). The same battery maintains the CMOS RAM,
but the clock takes more power and is likely to fail first. Bizarre
results from the system clock may mean there is a problem with
interrupts.
</para>
2.3. Should the RTC use Local Time or UTC, and What About DST?
<para>
The Linux "system clock" actually just counts the number of seconds
past Jan 1, 1970, and is always in UTC (or GMT, which is technically
different but close enough that casual users tend to use both terms
interchangeably). UTC does not change as DST comes and goes-- what
changes is the conversion between UTC and local time. The translation
to local time is done by library functions that are linked into the
application programs.
</para>
<para>
This has two consequences: First, any application that needs to know
the local time also needs to know what time zone you're in, and
whether DST is in effect or not (see the next section for more on time
zones). Second, there is no provision in the kernel to change either
the system clock or the RTC as DST comes and goes, because UTC doesn't
change. Therefore, machines that only run Linux should have the RTC
set to UTC, not local time.
</para>
<para>
However, many people run dual-boot systems with other OS's that expect
the RTC to contain the local time, so hwclock needs to know whether
your RTC is in local time or UTC, which it then converts to seconds
past Jan 1, 1970 (UTC). This still does not provide for seasonal
changes to the RTC, so the change must be made by the other OS (this
is the one exception to the rule against letting more than one program
change the time in the RTC).
</para>
<para>
Unfortunately, there are no flags in the RTC or the CMOS RAM to
indicate standard time vs DST, so each OS stores this information
someplace where the other OS's can't find it. This means that hwclock
must assume that the RTC always contains the correct local time, even
if the other OS has not been run since the most recent seasonal time
change.
</para>
<para>
If Linux is running when the seasonal time change occurs, the system
clock is unaffected and applications will make the correct conversion.
But if linux has to be rebooted for any reason, the system clock will
be set to the time in the RTC, which will be off by one hour until the
other OS (usually Windows) has a chance to run.
</para>
<para>
There is no way around this, but Linux doesn't crash very often, so
the most likely reason to reboot on a dual-boot system is to run the
other OS anyway. But beware if you're one of those people who shuts
down Linux whenever you won't be using it for a while-- if you haven't
had a chance to run the other OS since the last time change, the RTC
will be off by an hour until you do.
</para>
<para>
Some other documents have stated that setting the RTC to UTC allows
Linux to take care of DST properly. This is not really wrong, but it
doesn't tell the whole story-- as long as you don't reboot, it does
not matter which time is in the RTC (or even if the RTC's battery
dies). Linux will maintain the correct time either way, until the next
reboot. In theory, if you only reboot once a year (which is not
unreasonable for Linux), DST could come and go and you'd never notice
that the RTC had been wrong for several months, because the system
clock would have stayed correct all along. But since you can't predict
when you'll want to reboot, it's better to have the RTC set to UTC if
you're not running another OS that requires local time.
</para>
<para>
The Dallas Semiconductor RTC chip (which is a drop-in replacement for
the Motorola chip used in the IBM AT and clones) actually has the
ability to do the DST conversion by itself, but this feature is not
used because the changeover dates are hard-wired into the chip and
can't be changed. Current versions change on the first Sunday in April
and the last Sunday in October, but earlier versions used different
dates (and obviously this doesn't work in countries that use other
dates). Also, the RTC is often integrated into the motherboard's
"chipset" (rather than being a separate chip) and I don't know if they
all have this ability.
</para>
2.4. How Linux keeps Track of Time Zones
<para>
You probably set your time zone correctly when you installed Linux.
But if you have to change it for some reason, or if the local laws
regarding DST have changed (as they do frequently in some countries),
then you'll need to know how to change it. If your system time is off
by some exact number of hours, you may have a time zone problem (or a
DST problem).
</para>
<para>
Time zone and DST information is stored in /usr/share/zoneinfo (or
/usr/lib/zoneinfo on older systems). The local time zone is
determined by a symbolic link from /etc/localtime to one of these
files. The way to change your timezone is to change the link. If
your local DST dates have changed, you'll have to edit the file.
</para>
<para>
You can also use the TZ environment variable to change the current
time zone, which is handy of you're logged in remotely to a machine in
another time zone. Also see the man pages for tzset and tzfile.
This is nicely summarized at
<http://www.linuxsa.org.au/tips/time.html>
</para>
2.5. The Bottom Line
<para>
If you don't need sub-second accuracy, hwclock(8) and adjtimex(8) may
be all you need. It's easy to get enthused about time servers and
radio clocks and so on, but I ran the old clock(8) program for years
with excellent results. On the other hand, if you have several
machines on a LAN it can be handy (and sometimes essential) to have
them automatically sync their clocks to each other. And the other
stuff can be fun to play with even if you don't really need it.
</para>
<para>
On machines that only run Linux, set the RTC to UTC (or GMT). On
dual-boot systems that require local time in the RTC, be aware that if
you have to reboot Linux after the seasonal time change, the clock may
be temporarily off by one hour, until you have a chance to run the
other OS. If you run more than two OS's, be sure only one of them is
trying to adjust for DST.
</para>
<para>
NTP is a standard method of synchronising time on a client from a remote
server across the network. NTP clients are typically installed on servers.
NTP is a standard method of synchronising time across a network of
computers. NTP clients are typically installed on servers.
Most business class ISPs provide NTP servers. Otherwise, there are a
number of free NTP servers in Australia:
</para>
<para>
The Univeristy of Melbourne ntp.cs.mu.oz.au
University of Adelaide ntp.saard.net
CSIRO Marine Labs, Tasmania ntp.ml.csiro.au
CSIRO National Measurements Laboratory, Sydney ntp.syd.dms.csiro.au
</para>
<para>
Xntpd (NTPv3) has been replaced by ntpd (NTPv4); the earlier version
is no longer being maintained.
</para>
</para>
Ntpd is the standard program for synchronizing clocks across a
network, and it comes with a list of public time servers you can
connect to. It can be a little more complicated to set up, but if
you're interested in this kind of thing I highly recommend that you
take a look at it.
</para>
<para>
The "home base" for information on ntpd is the NTP website at
<http://www.eecis.udel.edu/~ntp/> which also includes links to all
kinds of interesting time-related stuff (including software for other
OS's). Some linux distributions include ntpd on the CD. There is a
list of public time servers at
<http://www.eecis.udel.edu/~mills/ntp/clock2.html>.
</para>
<para>
A relatively new feature in ntpd is a "burst mode" which is designed
for machines that have only intermittent dial-up access to the
internet.
</para>
<para>
Ntpd includes drivers for quite a few radio clocks (although some
appear to be better supported than others). Most radio clocks are
designed for commercial use and cost thousands of dollars, but there
are some cheaper alternatives (discussed in later sections). In the
past most were WWV or WWVB receivers, but now most of them seem to be
GPS receivers. NIST has a PDF file that lists manufacturers of radio
clocks on their website at
<http://www.boulder.nist.gov/timefreq/links.htm> (near the bottom of
the page). The NTP website also includes many links to manufacturers
of radio clocks at <http://www.eecis.udel.edu/~ntp/hardware.htm> and
<http://www.eecis.udel.edu/~mills/ntp/refclock.htm>. Either list may
or may not be up to date at any given time :-). The list of drivers
for ntpd is at
<http://www.eecis.udel.edu/~ntp/ntp_spool/html/refclock.htm>.
</para>
<para>
Ntpd also includes drivers for several dial-up time services. These
are all long-distance (toll) calls, so be sure to calculate the effect
on your phone bill before using them.
</para>
3.4. Chrony
<para>
Xntpd was originally written for machines that have a full-time
connection to a network time server or radio clock. In theory it can
also be used with machines that are only connected intermittently, but
Richard Curnow couldn't get it to work the way he wanted it to, so he
wrote "chrony" as an alternative for those of us who only have network
access when we're dialed in to an ISP (this is the same problem that
ntpd's new "burst mode" was designed to solve). The current version
of chrony includes drift correction for the RTC, for machines that are
turned off for long periods of time.
</para>
<para>
You can get more information from Richard Curnow's website at
<http://www.rrbcurnow.freeuk.com/chrony> or <http://go.to/chrony>.
There are also two chrony mailing lists, one for announcements and one
for discussion by users. For information send email to chrony-users-
subscribe@egroups.com or chrony-announce-subscribe@egroups.com
</para>
<para>
Chrony is normally distributed as source code only, but Debian has
been including a binary in their "unstable" collection. The source
file is also available at the usual Linux archive sites.
</para>
3.5. Clockspeed
<para>
Another option is the clockspeed program by DJ Bernstein. It gets the
time from a network time server and simply resets the system clock
every three seconds. It can also be used to synchronize several
machines on a LAN.
</para>
<para>
I've sometimes had trouble reaching his website at
<http://Cr.yp.to/clockspeed.html>, so if you get a DNS error try again
on another day. I'll try to update this section if I get some better
information.
</para>
<para>
Note
You must be logged in as "root" to run any program that affects
the RTC or the system time, which includes most of the programs
described here. If you normally use a graphical interface for
everything, you may also need to learn some basic unix shell
commands.
</para>
<para>
Note
If you run more than one OS on your machine, you should only let
one of them set the RTC, so they don't confuse each other. The
exception is the twice-a-year adjustment for Daylight Saving(s)
Time.
</para>
<para>
If you run a dual-boot system that spends a lot of time running
Windows, you may want to check out some of the clock software
available for that OS instead. Follow the links on the NTP website at
<http://www.eecis.udel.edu/~ntp/software.html>.
</para>
</sect1 id="NTP">
<sect1 id="Traffic-Control">
8.6. Traffic Shaping
The traffic shaper is a virtual network device that makes it possible
to limit the rate of outgoing data flow over another network device.
This is especially useful in scenarios such as ISPs, where it is
desirable to control and enforce policies regarding how much bandwidth
is used by each client. Another alternative (for web services only)
may be certain Apache modules which restrict the number of IP
connections by client or the bandwidth used.
<title>Traffic-Control</title>
<para>
Traffic control encompasses the sets of mechanisms and operations by which
packets are queued for transmission/reception on a network interface. The
operations include enqueuing, policing, classifying, scheduling, shaping and
dropping. This HOWTO provides an introduction and overview of the
capabilities and implementation of traffic control under Linux.
</para>
<EFBFBD><EFBFBD>*<2A> the linux DiffServ project
<EFBFBD><EFBFBD>*<2A> HTB site (Martin "devik" Devera)
<EFBFBD><EFBFBD>*<2A> Traffic Control Next Generation (tcng)
TCNG manual (Werner Almesberger)
<EFBFBD><EFBFBD>*<2A> iproute2 (Alexey Kuznetsov)
iproute2 manual (Alexey Kuznetsov)
<EFBFBD><EFBFBD>*<2A> Research and documentation on traffic control under linux (Stef Coene)
<EFBFBD><EFBFBD>*<2A> LARTC HOWTO (bert hubert, et. al.)
<EFBFBD><EFBFBD>*<2A> guide to IP networking with linux (Martin A. Brown)
* http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.15
* Traffic Control HOWTO
</sect1 id="Traffic-Control">
<sect1 id="Load-Balancing">
<title>Load-Balancing</title>
<para>
Demand for load balancing usually arises in database/web access when
many clients make simultaneous requests to a server. It would be
desirable to have multiple identical servers and redirect requests to
the less loaded server. This can be achieved through Network Address
Translation techniques (NAT) of which IP masquerading is a subset.
Network administrators can replace a single server providing Web
services - or any other application - with a logical pool of servers
sharing a common IP address. Incoming connections are directed to a
particular server using one load-balancing algorithm. The virtual
server rewrites incoming and outgoing packets to give clients the
appearance that only one server exists.
</para>
<para>
Linux IP-NAT information may be found here <http://www.csn.tu-
chemnitz.de/HyperNews/get/linux-ip-nat.html>
</para>
</sect1 id="Load-Balancing">
<sect1 id="Bandwidth-Limiting">
<title>Bandwidth-Limiting</title>
<para>
This section describes how to set up your Linux server to limit download
bandwidth or incoming traffic and how to use your internet link more
efficiently. It is meant to provide an easy solution for limiting
incoming traffic, thus preventing our LAN users from consuming all the
bandwidth of our internet link. This is useful when our internet link
is slow or our LAN users download tons of mp3s and the newest Linux
distro's *.iso files.
</para>
* Bandwidth Limiting HOWTO
6. Miscellaneous
6.1. Useful resources
Squid Web Proxy Cache
[http://www.squid-cache.org] http://www.squid-cache.org
Squid 2.4 Stable 1 Configuration manual
[http://www.visolve.com/squidman/Configuration%20Guide.html] http://
www.visolve.com/squidman/Configuration%20Guide.html
[http://www.visolve.com/squidman/Delaypool%20parameters.htm] http://
www.visolve.com/squidman/Delaypool%20parameters.htm
Squid FAQ
[http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8] http://
www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8
cbq-init script
[ftp://ftp.equinox.gu.net/pub/linux/cbq/] ftp://ftp.equinox.gu.net/pub/linux/
cbq/
Linux 2.4 Advanced Routing HOWTO
[http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html] http://
www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
Traffic control (in Polish)
[http://ceti.pl/~kravietz/cbq/] http://ceti.pl/~kravietz/cbq/
Securing and Optimizing Linux Red Hat Edition - A Hands on Guide
[http://www.linuxdoc.org/guides.html] http://www.linuxdoc.org/guides.html
IPTraf
[http://cebu.mozcom.com/riker/iptraf/] http://cebu.mozcom.com/riker/iptraf/
IPCHAINS
[http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html] http://www.linuxdoc.org/
HOWTO/IPCHAINS-HOWTO.html
Nylon socks proxy server
[http://mesh.eecs.umich.edu/projects/nylon/] http://mesh.eecs.umich.edu/
projects/nylon/
Indonesian translation of this HOWTO by Rahmat Rafiudin mjl_id@yahoo.com
[http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html] http://
raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html
</sect1 id="Bandwidth-Limiting">
<sect1 id="Compressed-TCP">
<title>Compressed-TCP</title>
<para>
In the past, we used to compress files in order to save disk space.
Today, disk space is cheap - but bandwidth is limited. By compressing
data streams such as TCP/IP-Sessions using SSH-like tools, you achieve
two goals:
</para>
1) You save bandwidth/transfered volume (that is important if you have
to pay for traffic or if your network is loaded.).
2) Speeding up low-bandwidth connections (Modem, GSM, ISDN).
<para>
This HowTo explains how to save both bandwith and connection time by
using tools like SSH1, SSH2, OpenSSH or LSH.
</para>
2. Compressing HTTP/FTP,...
<para>
My office is connected with a 64KBit ISDN line to the internet, so the
maximum transfer rate is about 7K/s. You can speed up the connection
by compressing it: when I download files, Netscape shows up a transfer
rate of up to 40K/s (Logfiles are compressable by factor 15). SSH is a
tool that is mainly designed to build up secure connections over
unsecured networks. Further more, SSH is able to compress connections
and to do port forwarding (like rinetd or redir). So it is the
appropriate tool to compress any simple TCP/IP connection. "Simple"
means, that only one TCP-connection is opened. An FTP-connections or
the connection between M$-Outlook and MS-Exchange are not simple as
several connections are established. SSH uses the LempleZiv (LZ77)
compression algorithm - so you will achieve the same high compression
rate as winzip/pkzip. In order to compress all HTTP-connections from
my intranet to the internet, I just have to execute one command on my
dial-in machine:
</para>
<para>
<screen>
ssh -l <login ID> <hostname> -C -L8080:<proxy_at_ISP>:80 -f sleep
10000
</screen>
</para>
<para>
<screen>
<hostname> = host that is located at my ISP. SSH-access is required.
<login ID> = my login-ID on <hostname>
<proxy_at_ISP> = the web proxy of my ISP
</screen>
</para>
<para>
My browser is configured to use localhost:8080 as proxy. My laptop
connects to the same socket. The connection is compressed and
forwarded to the real proxy by SSH. The infrastructure looks like:
</para>
<para>
<screen>
64KBit ISDN
My PC--------------------------------A PC (Unix/Linux/Win-NT) at my ISP
SSH-Client compressed SSH-Server, Port 22
Port 8080 |
| |
| |
| |
|10MBit Ethernet |100MBit
|not compressed |not compressed
| |
| |
My second PC ISP's WWW-proxy
with Netscape,... Port 80
(Laptop)
</screen>
</para>
3. Compressing Email
3.1. Incoming Emails (POP3, IMAP4)
<para>
Most people fetch their email from the mailserver via POP3. POP3 is a
protocol with many disadvantages:
</para>
1. POP3 transfers password in clear text. (There are SSL-
implementations of POP/IMAP and a challenge/response
authentication, defined in RFC-2095/2195).
2. POP3 causes much protocol overhead: first the client requests a
message than the server sends the message. After that the client
requests the transferred article to be deleted. The server confirms
the deletion. After that the server is ready for the next
transaction. So 4 transactions are needed for each email.
3. POP3 transfers the mails without compression although email is
highly compressible (factor=3.5).
<para>
You could compress POP3 by forwarding localhost:110 through a
compressed connection to your ISP's POP3-socket. After that you have
to tell your mail client to connect to localhost:110 in order to
download mail. That secures and speeds up the connection -- but the
download time still suffers from the POP3-inherent protocol overhead.
</para>
<para>
It makes sense to substitute POP3 by a more efficient protocol. The
idea is to download the entire mailbox at once without generating
protocol overhead. Furthermore it makes sense to compress the
connections. The appropriate tool which offers both features is SCP.
You can download your mail-file like this:
</para>
<para>
<screen>
scp -C -l loginId:/var/spool/mail/loginid /tmp/newmail
</screen>
</para>
<para>
But there is a problem: what happens if a new email arrives at the
server during the download of your mailbox? The new mail would be
lost. Therefore it makes more sense to use the following commands:
</para>
<para>
<screen>
ssh -l loginid mailserver -f mv /var/spool/mail/loginid
/tmp/loginid_fetchme
scp -C -l loginid:/tmp/my_new_mail /tmp/loginid_fetchme
</screen>
</para>
<para>
A move (mv) is a elementary operation, so you won't get into truble if
you receive new mail during the execution of the commands. But if the
mail server directories /tmp/ and /var/spool/mail are not on the same
disc you might get problems. A solution is to create a lockfile on the
server before you execute the mv: touch /var/spool/mail/loginid.lock.
You should remove it, after that. A better solution is to move the
file loginid in the same directory:
</para>
<para>
<screen>
ssh -l loginid mailserver -f mv /var/spool/mail/loginid
/var/spool/mail/loginid_fetchme
</screen>
</para>
<para>
After that you can use formail instead of procmail in order to filter
/tmp/newmail into the right folder(s):
</para>
<para>
<screen>
formail -s procmail < /tmp/newmail
</screen>
</para>
3.2. Outgoing Email (SMTP)
<para>
You send email over compresses and encrypted SSH-connections, in order
to:
</para>
<20> Save network traffic
<20> Secure the connection (This does not make sense, if the mail is
transported over untrusted networks, later.)
<20> Authenticate the sender. Many mail servers deny mail relaying in
order to prevent abuse. If you send an email over an SSH-
connection, the remote mail server (i.e. sendmail or MS-exchange)
thinks to be connected, locally.
<para>
If you have SSH-access on the mail server, you need the following
command:
</para>
<para>
<screen>
ssh -C -l loginid mailserver -L2525:mailserver:25
</screen>
</para>
<para>
If you don't have SSH-access on the mail server but to a server that
is allowed to use your mail server as relay, the command is:
</para>
<para>
<screen>
ssh -C -l loginid other_server -L2525:mailserver:25
</screen>
</para>
<para>
After that you can configure your mail client (or mail server: see
"smarthost") to send out mails to localhost port 2525.
</para>
4. Thoughts about performance.
<para>
Of course compression/encryption takes CPU time. It turned out that an
old Pentium-133 is able to encrypt and compress about 1GB/hour --
that's quite a lot. If you compile SSH with the option "--with-none"
you can tell SSH to use no encryption. That saves a little
performance. Here is a comprison between several download methods
(during the test, a noncompressed 6MB-file was transfered from a
133MHz-Pentium-1 to a 233MHz Pentium2 laptop over a 10MBit ethernet
without other load).
</para>
<para>
<screen>
+-------------------+--------+----------+-----------+----------------------+
| | FTP |encrypted |compressed |compressed & encrypted|
+-------------------+--------+----------+-----------+----------------------+
| Elapsed Time | 17.6s | 26s | 9s | 23s |
+-------------------+--------+----------+-----------+----------------------+
| Throughput | 790K/s | 232K/s | 320K/s | 264K/s |
+-------------------+--------+----------+-----------+----------------------+
|Compression Factor | 1 | 1 | 3.8 | 3.8 |
+-------------------+--------+----------+-----------+----------------------+
</screen>
</para>
</sect1 id="Compressed-TCP">
<sect1 id="IP-Accounting">
<title>IP-Accounting</title>
<para>
This option of the Linux kernel keeps track of IP network traffic,
performs packet logging and produces some statistics. A series of
rules may be defined so when a packet matches a given pattern, some
action is performed: a counter is increased, it is accepted/rejected,
etc.
</para>
<para>
6.3. IP Accounting (for Linux-2.0)
The IP accounting features of the Linux kernel allow you to collect
and analyze some network usage data. The data collected comprises the
number of packets and the number of bytes accumulated since the
figures were last reset. You may specify a variety of rules to
categorize the figures to suit whatever purpose you may have. This
option has been removed in kernel 2.1.102, because the old ipfwadm-
based firewalling was replaced by ``ipfwchains''.
</para>
<para>
<screen>
Kernel Compile Options:
Networking options --->
[*] IP: accounting
</screen>
</para>
<para>
After you have compiled and installed the kernel you need to use the
ipfwadm command to configure IP accounting. There are many different
ways of breaking down the accounting information that you might
choose. I've picked a simple example of what might be useful to use,
you should read the ipfwadm man page for more information.
Scenario: You have a ethernet network that is linked to the internet
via a PPP link. On the ethernet you have a machine that offers a
number of services and that you are interested in knowing how much
traffic is generated by each of ftp and world wide web traffic, as
well as total tcp and udp traffic.
</para>
<para>
You might use a command set that looks like the following, which is
shown as a shell script:
</para>
<para>
<screen>
#!/bin/sh
#
# Flush the accounting rules
ipfwadm -A -f
#
# Set shortcuts
localnet=44.136.8.96/29
any=0/0
# Add rules for local ethernet segment
ipfwadm -A in -a -P tcp -D $localnet ftp-data
ipfwadm -A out -a -P tcp -S $localnet ftp-data
ipfwadm -A in -a -P tcp -D $localnet www
ipfwadm -A out -a -P tcp -S $localnet www
ipfwadm -A in -a -P tcp -D $localnet
ipfwadm -A out -a -P tcp -S $localnet
ipfwadm -A in -a -P udp -D $localnet
ipfwadm -A out -a -P udp -S $localnet
#
# Rules for default
ipfwadm -A in -a -P tcp -D $any ftp-data
ipfwadm -A out -a -P tcp -S $any ftp-data
ipfwadm -A in -a -P tcp -D $any www
ipfwadm -A out -a -P tcp -S $any www
ipfwadm -A in -a -P tcp -D $any
ipfwadm -A out -a -P tcp -S $any
ipfwadm -A in -a -P udp -D $any
ipfwadm -A out -a -P udp -S $any
#
# List the rules
ipfwadm -A -l -n
#
</screen>
</para>
<para>
The names ``ftp-data'' and ``www'' refer to lines in /etc/services.
The last command lists each of the Accounting rules and displays the
collected totals.
</para>
<para>
An important point to note when analyzing IP accounting is that totals
for all rules that match will be incremented so that to obtain
differential figures you need to perform appropriate maths. For
example if I wanted to know how much data was not ftp nor www I would
substract the individual totals from the rule that matches all ports.
</para>
<para>
<screen>
root# ipfwadm -A -l -n
IP accounting rules
pkts bytes dir prot source destination ports
0 0 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 20
0 0 out tcp 44.136.8.96/29 0.0.0.0/0 20 -> *
10 1166 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 80
10 572 out tcp 44.136.8.96/29 0.0.0.0/0 80 -> *
252 10943 in tcp 0.0.0.0/0 44.136.8.96/29 * -> *
231 18831 out tcp 44.136.8.96/29 0.0.0.0/0 * -> *
0 0 in udp 0.0.0.0/0 44.136.8.96/29 * -> *
0 0 out udp 44.136.8.96/29 0.0.0.0/0 * -> *
0 0 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 out tcp 0.0.0.0/0 0.0.0.0/0 20 -> *
10 1166 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 80
10 572 out tcp 0.0.0.0/0 0.0.0.0/0 80 -> *
253 10983 in tcp 0.0.0.0/0 0.0.0.0/0 * -> *
231 18831 out tcp 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 in udp 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 out udp 0.0.0.0/0 0.0.0.0/0 * -> *
</screen>
</para>
<para>
6.4. IP Accounting (for Linux-2.2)
The new accounting code is accessed via ``IP Firewall Chains''. See
the IP chains home page for more information. Among other things,
you'll now need to use ipchains instead of ipfwadm to configure your
filters. (From Documentation/Changes in the latest kernel sources).
</para>
</sect1 id="IP-Accounting">
<sect1 id="IP-Aliasing">
<title>IP-Aliasing</title>
<para>
This is a cookbook recipe on how to set up and run IP aliasing on a Linux box
and how to set up the machine to receive e-mail on the aliased IP addresses.
</para>
<para>
This feature of the Linux kernel provides the possibility of setting
multiple network addresses on the same low-level network device driver
(e.g two IP addresses in one Ethernet card). It is typically used for
services that act differently based on the address they listen on
(e.g. "multihosting" or "virtual domains" or "virtual hosting
services".
</para>
<para>
There are some applications where being able to configure multiple IP
addresses to a single network device is useful. Internet Service
Providers often use this facility to provide a `customized' to their
World Wide Web and ftp offerings for their customers. You can refer to
the ``IP-Alias mini-HOWTO'' for more information than you find here.
</para>
</sect1 id="IP-Aliasing">
<sect1 id="Multicasting">
<title>Multicasting</title>
<para>
* Multicast HOWTO
</sect1 id="Multicast">
<sect1 id="Network-Management">
<title>Network-Management</title>
<para>
There is an impressive number of tools focused on network management
and remote administration under Linux. Some interesting remote administration
projects are linuxconf and webmin:
</para>
<para>
<EFBFBD> Webmin <http://www.webmin.com/webmin/>
<EFBFBD> Linuxconf <http://www.solucorp.qc.ca/linuxconf/>
</para>
<para>
Other tools include network traffic analysis tools, network security
tools, monitoring tools, configuration tools, etc. An archive of many
of these tools may be found at Metalab
<http://www.metalab.unc.edu/pub/Linux/system/network/>
</para>
9.2. SNMP
<para>
The Simple Network Management Protocol is a protocol for Internet
network management services. It allows for remote monitoring and
configuration of routers, bridges, network cards, switches, etc...
There is a large amount of libraries, clients, daemons and SNMP based
monitoring programs available for Linux. A good page dealing with SNMP
and Linux software may be found at : http://linas.org/linux/NMS.html
</para>
10. Enterprise Linux Networking
<para>
In certain situations it is necessary for the networking
infrastructure to have proper mechanisms to guarantee network
availability nearly 100% of the time. Some related techniques are
described in the following sections. Most of the following material
can be found at the excellent Linas website:
http://linas.org/linux/index.html and in the Linux High-Availability
HOWTO <http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-
Availability-HOWTO.html>
</para>
10.1. High Availability
<para>
Redundancy is used to prevent the overall IT system from having single
points of failure. A server with only one network card or a single
SCSI disk has two single points of failure. The objective is to mask
unplanned outages from users in a manner that lets users continue to
work quickly. High availability software is a set of scripts and tools
that automatically monitor and detect failures, taking the appropriate
steps to restore normal operation and to notifying system
administrators.
</para>
</sect1 id="Networking-Management">
<sect1 id="Redundant-Networking">
<title>Redundant-Networking</title>
<para>
IP Address Takeover (IPAT). When a network adapter card fails, its IP
address should be taken by a working network card in the same node or
in another node. MAC Address Takeover: when an IP takeover occurs, it
should be made sure that all the nodes in the network update their ARP
caches (the mapping between IP and MAC addresses).
</para>
<para>
See the High-Availability HOWTO for more details:
http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-
HOWTO.html
</para>
</sect1 id="Redundant-Networking">
View Git Blame Copy Permalink