netscript-2.4 for Debian ---------------------- It is designed to work best with a router software like quagga or bird. Most of the interface level configuration you will need will be found in /etc/netscript/network.conf including lower level protocol daemons/configuration programs like ciped, pppd, or wanconfig. See below for more details on this recommended editing policy. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering obviates the need for great complexity in the firewall scripts, and more flexibility is possible. You have to get down and get dirty with iptables and learn it, which is a good thing to do if you are running this to build a network - you should understand things fully, or else you will get things wrong. CONFIGURATION ------------- Sysvinit is no longer supported, thanks to some irresolvable boot order dependency loops with the ifupdown package. For systemd: systemctl mask networking systemctl mask ifupdown systemctl mask ifup\@.service Or saving /etc/network/interfaces and purging ifupdown should suffice. A lot cleaner. cp /etc/network/interfaces /tmp dpkg --purge ifupdown cp /tmp/interfaces /etc/network You may also want to mask all the NetworkManager services as well, it likes configuring things that are not in /etc/network/interfaces. You may also want to disable inetd and/or portmap from starting up, but check that you have something like ssh setup to run in daemon mode first before doing inetd! The commands would be: update-rc.d -f portmap remove update-rc.d -f inetd remove or: systemctl mask portmap systemctl mask inetd All of the above steps will integrated into a debhelper setup for this package if possible in the near future. If you want to set up static routing using this package, it would be a good idea to install the quagga or bird routing software packages as it is probably a good idea to set up a routing protocol on any network that needs static routes other than the default, and static routes are more easily setup from the routing software anyhow if they are really needed. LAPTOP SETUP ------------ This is still being developed, and I have been unable to complete the work on the wireless and starting stopping services like NFS mounts due to my laptop giving me a lot of trouble under linux. Lockups and particularly keyboards being unpredictable make development hard work. IPv6 support is there as it is an analogue of the IPv4 work but needs testing. Wireless support with waproamd still needs to be teased out. You will need to install the whereami, ifplugd, and waproamd, dnsmasq, and resolvconf. Get whereami configured to detect the network location and print it out using the --mapping switch. Then edit /etc/netscript/network.conf , you will see a section half way down the file just after the DHCP setup examples. You will have to add the following file to the /etc/ifplugd/action.d directory: #!/bin/sh set +e # case "$2" in up) /sbin/netscript ifup $1 > /dev/null 2>&1 RETVAL=$? sleep 5 exit $RETVAL ;; down) /sbin/netscript ifdown $1 > /dev/null 2>&1 exit $? ;; esac to the file netscript, chmod 0755, and comment out all lines in the ifupdown script in hte same directory. After this dnsmasq, and resolvconf will just basically work for ethernet. Waproamd setup should be similar to the above, but I have not been able to experiment yet. UPGRADE PATH FROM KERNEL 2.2.X ------------------------------ The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. -- Matthew Grant , Sat, 30 Oct 2004 18:03:24 +1300