Slackware 12.0 - NFS, NAS, rsync

I wanted to use an Ethernet connected LAN with a NAS running NFS to synch between a work laptop and a home desktop. That is, I wanted to come home from work and synch my laptop to the NAS, and then also, if I did work with the desktop, to then synch it to the NAS. Since all are Linux systems, I hoped to use NFS and avoid the security problems and overhead of running anything Windows-related such as SMB or Samba. NFS is an older service which lies on top of Sun's RPC services.

Vantec LX NAS (NST-375LX-BK)

Before doing any research, I purchased a Vantec NAS enclosure and ran into problems. Installed a dormant 350GB PATA drive into this enclosure which has USB and Ethernet ports. Unfortunately, it appears that the Ethernet portion serves SMB protocol only. This means it's not mountable in an NFS manner, because it requires SMB passwords and protocols. Effectively then, unless one wants to install Windows compatible Samba garbage, one is forced to use the USB connection. That means a person essentially has a bulky, expensive USB pendrive. What a load of crap, but if you want to jeopardize your box w/Samba, here is a forum link with the info of what to do.

politics

Once annoyed by Vantec, I dug deeper. An interesting point is it appears there are no average-user NAS enclosures running NFS in the US consumer marketplace. In the US, to purchase a NAS that works with NFS one must spend about $1000, but if one only needs Windows or Samba-friendly enclosures, the cost is perhaps $400. Interesting. Additionally, there are many options for inexpensive NFS-serving NAS enclosures in foreign markets, such as the UK. These enclosures don't require Windows or Samba, so why is NFS shut-out in the US? I couldn't find a reason. However, it's understood that Windows and Samba have security vulnerabilities, Perhaps the easy security around NFS is considered undesirable by those who wish to peer into our systems, though I don't wish to be cynical.
As for security/safety, we'll look later at an ssh implementation of NFS, but let's first examine a vanilla version.

NFS, RPC, portmapper

As noted above, NFS lies on top of RPC services. RPC ports are not dedicated, they move around, so we need portmapper as a connection tracker. The portion of NFS which sends commands and acknowledgments between server and client is a normal dedicated port "file" (ports are files in UNIX), port 2049. But NFS uses undedicated RPC ports to move the data payloads, eg. the powerpoint files, the text files, whatever we are moving. Portmapper is necessary for this portion of the transfer. If portmapper crashes, data may be lost or unsaved.

RPC functionality

This tutorial is a good start to setting up the RPC functionality necessary for NFS.
1. The presence of /etc/hosts.allow and /etc/hosts.deny.

portmapper functionality

NFS functionality

1. I've heard domains have to be the same across the machines. For example, let's say one machine's /etc/HOSTNAME indicates "green.example.net", and the other machine has "blue.example.net".

NFS from command line

NFS is essentially a mount, but remote - we mount a drive, or folders from a drive, from another system on the LAN, and it appears as a drive on our current system, though labeled so we know it's an NFS share. We can mount temporarily from command line or make it permanent as part of the boot process.

NFS as an fstab line

NFS directory mounting

security

We will need various ports, and the system should be operating before attempting to add firewall functionality which may affect ports.

Slackware 12.0 - Dual Homed

Challenges can arise when a wifi NIC is handling wifi internet access and, in the same computer or "host", an ethernet NIC is operating in a wired LAN (eg, with a printer and backup storage). Since the host exists in two different LANs simultaneously, it is "dual homed". Obviously, two LANS means two routers.

gateway vs. dhcpcd

Check email at Yahoo. The host PC makes this request to Yahoo and Yahoo is outside the host's network, so it needs to use the gateway and the name servers outside the gateway. But when interfaces are being initialized at boot, the dhcp application, dhcpcd, overwrites the /etc/resolve.conf file that shows the IP addresses of these nameservers. So, if we bring the eth0 connection up after the wlan0 connection, our nameservers will be overwritten. To avoid this we do all these things:

/etc/rc.d/rc.local
ifconfig eth0 down
ifconfig wlan0 up
dhcpcd wlan0
sleep 3
route
sleep 5
route del -net 169.254.0.0 netmask 255.255.0.0 dev wlan0
ifconfig eth0 up
sleep 3
dhcpcd -R eth0 #-R prevents resolv.conf overwrite
sleep 3

Sometimes,(rare) I have a "UG" default gateway for both wlan0 and eth0 even after these steps. I then remove the extra gateway at the command line:

route del default eth0

A quick verification with "route" shows me the second gateway is gone.
Also there are these files...

loading order

rc.inet1 reads rc.inet1.conf and loads rc.wireless which reads rc.wireless.conf when loading. I don't worry about the rc.wireless.conf, but, in rc.inet1.conf I look for the default gateway line and I change it from "" to the IP of the gateway router.

security

The final step. We want to be sure everything is running before we lock down ports.

Slackware 12.0 - SiS190 eth0 module

symptoms

You would like to connect your box to a network printer, and you plug a Cat5 cable into your box's integrated SiS190 ethernet controller port and another into a known-good router port. Soon, dhcpcd times- out. You kill the dhcpcd and restart it, but it times-out again and assigns a default IPV4LL address, eg 169.254.126.11. The network is unreachable, isn't that nice?

Unfortunately for your weekend, this is likely a kernel module problem if you're lucky, and the kernel itself if you're not. You will not be able to connect via ethernet until successfully (aye, there's the rub) compiling a new driver module for this and successfully inserting it into the kernel, or you may have to entirely recompile the kernel. Apparently, the manufacturer's linux driver for SiS is from 5/2007 and does nothing. Isn't that nice? The process is explained relatively well here, and I added epilogue notes below. Good luck.

notes

Four hours. After downloading the kernel on another box, burning it to CD, unzipping into the current box, and compiling according to all the notes at the link above, the integrated eth0 worked. However, it did not work until I rebooted. That is, after installing the new kernel, I was unable to achieve desired results by bringing eth0 up or down, but after rebooting - success.

Slackware 12.0 - Safety Part 1: expectations

high expectations, low knowledge, under-equipped

Seen in security terms, our home computer systems are an "opportunity". In large organizations, well-paid IT professionals design layers of dedicated security systems to protect workstation computer networks and data is backed up and retained elsewhere. The typical home user combines their computer security system, their end-user applications, and their critical data in a single box. Further, they design their arrangement without IT or programming experience, in most cases. Users nevertheless expect their security to perfectly protect the system, its critical data, and to provide full workstation functionality, all while cruising a virus infected Web. How effective do you believe such a security arrangement is likely to be?

situational awareness - threats

Given that our home systems present opportunities, are there threats which seek to take advantage of them? First, it appears one may assume governments, US or otherwise, can easily penetrate our leaky home systems, and perhaps they do so regularly. It's also likely a large number of civilian entities penetrate our home computer systems. Given the opportunity and the threat, but with our typical lack of resources to build a $3-5K layered and ported system, about all we can do is make ourselves a less inviting target than other home machines out there. Let's suppose here we're going to make the effort, where do we begin?

step one - no security

Linux security features sometimes function like shells around processes, sometimes around files, sometimes around ports, sometimes around data streams, sometimes around other things. The security system is complex. The dedicated security servers of the corporate world do this more easily since they operate with firmware or static-linked libraries and have no other applications or data to interfere. But we want applications and data on our home systems. This means we're bound to have permission or authentication problems when we configure complex security functions around desktop applications and web interfaces. Accordingly, I have one rule for a home system prior to activating iptables.chains,tripwire,ssh, really any security function - the system has to work exactly the way it's supposed to work before the security is implemented, and hopefully before it's connected to any network. If we don't have desktop functionality first, is the permission problem we see when activating security related to the security configuration or is it due to the user configuration? We have no way to cut the problem in half. Alternatively, we could bring up our security half before the desktop operations half, but this means we would have to estimate user applications in advance. So the first step of (home) security is to configure the desktop system to run reliably, including all it's peripherals of printers, scanners, cameras, audio inputs, and so on. Subsequently, we will activate our security and the net packages together, and adjust the mix when a desktop application ceases to work due to security layers. Ideally, we should test system applications after adding each security layer.

Slackware 12.0 - CUPS network printer

Here's how CUPS worked-out on a couple different systems connected to a wired ethernet LAN, with a printer attached to the same LAN, and wifi access to the Web on each box (dual-homed boxes).

slackware 12.0 - huge.s kernel patched for non-smp
500 MHz PIII
500 MB Ram
--printer--
HP1100 LaserJet
Netgear PS 101 MiniServer
Linksys BEFSR41 10/100 router
RTL8139 type card

What works: install

For most of us, the CUPS webtool at  http://localhost:631
simply never works. Not only this, but it waits until the final step in a timely 6-part process to note the failure. For me, it feels more efficient to add printers manually. Perhaps some day all the permissions will align with the stars and CUPS will work. At any rate, there is no limit to the number of printers we can manually add to our workstation.

Lpadmin is the command, but first prepare the printspace:

• add print group ("lp", in many cases) to the groups for users I want to have print access. Users who are not in lp or whatever, can notprint or cancel print jobs without rooting-up.
• decide which ppd to use with the printer.

With these two accomplished, try to add the printer:

# lpadmin -p HP1100 -E -v socket://192.168.1.101/printer -m hpijs.ppd

This may return the error that the hpijs ppd file, in this case hpijs.ppd, cannot be copied. Ppd's need to be in the correct format (uncompressed ppd) and directory (/usr/share/cups/model) if lpadmin is to find them and add them.

Foomatic hides and zips their ppds. I finally located them in /usr/share/cups/model/foomatic-ppds/HP. The one I needed was HP-LaserJet1100.ppd.gz. I copied this file into /usr/share/cups/model , unzipped it: "gzip -d HP*", and renamed it hp1100.ppd for ease of loading. Then I ran:

# lpadmin -p HP1100 -E -v socket://192.168.1.101/printer -m hp1100.ppd

The printer was successfully added to the system at this point, but suppose I had wanted to try a few different ppd files to determine by playing with each, which one had the clearest print and functionality with a printer? A ppd file can be substituted any time with another. Put the new ppd file in /usr/share/cups/model/ and run:

# lpadmin -p HP1100 -P another.ppd

What works: configuration

Ideally again, one should be able to use the CUPS webtool at  http://localhost:631 for configuration, just as we were supposed to be able to add printers with it. If the web interface is working, use it. If not part two of
our work will be to modify the file /etc/cups/printers.conf with the right settings and restart the CUPS server so it reads the file. In /etc/cups/printers.conf one line has different possible structures depending on how the printer is attached. Let's say we've named our device "printername", some possibilities are:

DeviceURI socket://ip.address/printername #LAN
DeviceURI socket://ip.address:ps101name #LAN version2
DeviceURI parallel:/dev/lp0 #parallel port
DeviceURI usb:/dev/usb/lp0 #usb port

I experimented until I determined the correct one for the physical connection which, in my case, was on a LAN. I looked in my router and found my printserver received DHCP at 192.168.1.101.
I navigated there (http://192.168.1.101) in Firefox, and found a GUI interface which allowed me to rename the printserver to any name I desired, but decided to leave it PS101. Accordingly, the successful syntax for my DeviceURI was this one:

DeviceURI socket://192.168.1.101/PS101

and my final working configuration file went like this:

/etc/cups/printers.conf
# Printer configuration file for CUPS v1.3.7
# Written by cupsd on 2008-12-01 04:19
<DefaultPrinter HP1100>
Info HP1100
DeviceURI socket://192.168.1.101/PS101
State Idle
StateTime 1228132708
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

After all this, I ran

# service restart cups

in order for CUPS to re-read the /etc/cups/printers.conf file with the new information. I was able to print from all programs.

test prints

While testing printer ppd's, I ran a lot of test prints. Some worked, but the ones that didn't print piled-up in the queue, and the CUPS interface at http://localhost:631 would never allow me to delete jobs. CLI solution to delete print jobs:

# lpstat -o

provides pending print jobs and the job number eg, "HP1100-1". Then

# cancel HP1100-1

will get rid of the job. Run "lpstat -o" again to verify, if you like.

xfce4 note

To print from Mousepad and others that use X-settings, xfce printing needs to recognize the CUPS printer. Try printing in Mousepad and see if the CUPS printer is available. If not, configuring xfce4 to CUPS will be necessary. This was simple for me. I simply went to the XFCE menu, then access Settings ->Settings Manager -> Printing System. Once in Printing System, I selected the CUPS network printer and closed the menu. I then opened a Mouspad file to print; sure enough, the CUPS printer appeared in my options.

What is supposed to work (as opposed to all of the above)

First, good CUPS documentation here.
Essentially, one should be able to navigate to CUPS at  http://localhost:631 with Firefox and add printers, manage the print queue, or do other config changes. I never could get the parts to sync enough to add a printer, let alone administer them. Some considerations:

• GUI authentication: CUPS apparently relies on PAM, Slackware does not provide PAM?
• parallel: HPLIP is supposedly needed for support if using a parallel port, but not for network printer. I could not get HPLIP to see the parallel port on the legacy system
• parallel: snmp might be a factor

In the name of gleaning understanding and advancing progress from previously attempted approaches or, at least, of not duplicating effort,here were some initial directions:
1. configure network and verify dhcp assigned print server and slackbox IP's. Let's call these IP's as follows:

192.168.1.101 - Print Server
192.168.1.102 - Slackbox

2. check /etc/rc.d/ - verify rc.cups (and rc.hplip, if it were needed) are 755.
3. is printer plugged in? PS101 plugged in?
4. Firefox to http://912.168.1.101. Blue admin page. Change or leave the name of the PS101, but be sure to write it down - you will need it later in your /etc/cups/printers.conf file. Print a test page to see that the server is talking to the printer properly.
5. Firefox to http://localhost:631 CUPS admin interface. Make sure it comes up.
6. Check that tcp and udp ports 161,162, and 9100 are not locked-down.

CUPS Webtool notes http://localhost:631

1. Try adding the printer with the CUPS webtool. It likely will wait until the (frustratingly) last step in the process and reject your password. Since CUPS uses PAM for password authentication and Slackware doesn't use PAM, I made many many many attempts at editing the /etc/cups/cupsd.conf file to eliminate the password requirement, but it always prompted me for a password in the CUPS webtool. According to the information at this slack site here is how one should proceed:
A. Lets say your name is "doofus" and you declared your SystemGroup in cupsd.conf as "wheel":

lppasswd -g wheel -a doofus

B. Check to be certain:

# cat /etc/cups/passwd.md5 doofus:wheel:01234567890abcde1234567890abcde12

C. Now restart CUPS and go back to the webtool in Firefox and add the printer:

#/etc/rc.d/rc.cups restart

I never got it to work; the password was always rejected and I could never add a printer.

SNMP HPLIP

SNMP (Simple Network Management Protocol) is a powerful process originally designed to simplify web management. Many processes take advantage of SNMP functionality and one of them is HPLIP

If hp-setup doesn't work, then the road may be long. Try using SNMP to determine if the kernel can see the printer at the nework address:

snmpwalk -Os -c public -v 1 ip.address.of.printer 1.3.6.1.4.1.11.2.3.9.1.1.7.0

Per this site HP tshoot, the response should be something which shows the manufacturer,or SNMP may not be installed correctly. This means working with the /etc/snmp/snmpd.conf file.

Slackware 12.0 - install 1

Intro

Slackware and Slackware-based hybrids, such as Zenwalk, appear to have a learning curve after moving from Debian and Debian-based hybrids, eg. Ubuntu. But the /etc/rc.d layout in Slack is clean and nearly intuitive. Lets look at Slack 12.0. One of the great things about Slackware is it doesn't use PAM.

Older Machines

1. boot with non-smp kernel big.s
2. cfdisk and mke2fs per taste.
3."setup"
4. activate disks, skip formatting them.
5. install from CD's or DVD but don't configure the network
6. reboot, run the patch for non-smp
7. build nvidia drivers if necessary
8. build wifi drivers if necessary (madwifi, ndiswrapper, other)
9. add any modules to /etc/rc.d/rc.modules and any associated command to /etc/rc.d/rc.local
10. reboot, check wifi or eth0 with "route"
11. to make permanent see here. Essentially, there are a few files to alter if it's dual-homed.
12. configure xorg.conf or copy premade to /etc/X11/
13. set /etc/X11/xinit/xinitrc softlink (ln -s) to desired WM - twm, fluxbox, xfce, etc.
14. reboot and tune.

Wireless

No need to download and compile a driver module if one came with distro: Check here:
ls /lib/modules/2.6.23.12/kernel/drivers/net/wireless/

Atheros AR242x 64 (5007 chipset)
Memory location on my card for this is 53100000. The instructions here were crucial. The ath5k doesn't work well in a Satellite, but they describe the ath5k here, and it appears the ath5k will eventually be the way to go. Currently however, steps appear to be

1. in /etc/modprobe.d/blacklist blacklist the "ath5k" module
2. reboot and lsmod - make sure the ath5k is gone
3. download madwifi-hal-0.10.5.6-r3861-20080903.tar.gz , or the newest one there, make, and install.
4. reboot again and lsmod
5. iwconfig ath0

Atheros AR5005G
download latest madwifi, eg madwifi-0.9.9.3, then the usual

$tar -xzvf madwifi*
$cd madwifi*
$make
#make install
#modprobe ath-pci

RaLink RT2600 802.11 MIMO
1. download latest ralink rt61 driver from ralink support.
2. $tar -xzvf 2008*
3. $cd RT61_Linux*
4. $cp Makefile.6 Makefile [kernel 2.6.x]
5. Alter module rtmp_main.c , by commenting out (around the bottom, line ~900):
return pci_module_init(&rt61_driver);
and replace it with:
return pci_register_driver(&rt61_driver)
6. Their "configure" file is not executable, so change it, then configure and make the module.
$chmod 755 Configure
$./Configure
$make
7. Make a directory where the module will locate configuration info and put these info files in it.
#mkdir /etc/Wireless/RT61STA
#cp rt2561.bin /etc/Wireless/RT61STA/
#cp rt2561s.bin /etc/Wireless/RT61STA/
#cp rt2661.bin /etc/Wireless/RT61STA/
8. The last file to go into that config directory may have CTRL+L line ends and we have to be sure these are eliminated: Use $dos2unix rt61sta.dat (or use sed). This file has the particulars for our LAN and WEP.
9. Copy that file to where the others are at:
#cp rt61sta.dat /etc/Wireless/RT61STA/
10. Send the module to the kernel's module folder:
#cp rt61.ko /lib/modules//misc/
11. Tell the kernel where to find the module by adding a line in /lib/modules//modprobe.dep
: "/lib/modules//misc/rt61.ko:"
12. Load the kernel:
#modprobe rt61

AFTER INSTALLING WIRELESS
1. provide permanence via /sbin/modprobe ath-pci to /etc/rc.d/rc.modules and any configuration for it (eg. iwconfig ath0 essid "loser") to /etc/rc.d/rc.local.
1b: in the case of Ralink /sbin/modprobe rt61 to /etc/rc.d/rc.modules.
2. further modify /etc/rc.d/rc.local to be sure card comes up. Last line for the card: iwconfig ra0 up or iwconfig ath0 up
3. reboot and "dhcpcd ra0" or ath0, check with "route" and a ping.