 
			
		
		
	
		
		
		
		
			
				 
			
		
		
	
		
		
		
		
			
				 
			
		
		
	
		
		
		
		
			
				 
			
		
		
	
		
		
		
		
			
				 
			
		
		
	
    
	Linux Routers 45
| Linux Routers | |
| author | Tony Mancill | 
| pages | 329 | 
| publisher | Prentice Hall | 
| rating | 7 | 
| reviewer | Martin Barry | 
| ISBN | 0-13-086113-8 | 
| summary | Fundamental look at replacing brand name routers with ones based on generic hardware and Linux. Develops concepts of core routing features and relevant extensions in the context of six router applications including LAN, WAN and Internet. | 
 
Overview
Linux Routers is an interesting little book that pulls together the kind of information that one could find browsing various HOW-TOs and guides into a concise narrative explaining the tasks required to build and operate Linux-based routers.Opening the book is a discussion on the fundamental theories underlying routing and the infrastruture required to implement routing solutions. For those (like myself) who have little exposure to network administration this will be particulary helpful as a lead in to the following chapters.
There is a chapter to further build on the basics of IP (addresses including RFC1918, subnetting, routing tables), ethernet (MAC addresses, ARP, switching) and wide area networks (types of links, integrating with telco hardware, billing).
The detail increases as the book progresses. It starts with the simplest installation, routing between two ethernet segments covering the basics of setting up Linux networking and routing. Methods of IP accounting are also introduced. Mention is also made of the Linux Router Project and the single floppy distribution they have developed.
Moving onto WAN routers introduces the telco issues and ways to preserve bandwdith (http proxy, caching dns). IPchains is introduced in the context of masquerading otherwise unroutable addresses. Various tools are listed in a section that demonstrates how to view traffic on the network for educational and debugging purposes. Monitoring of traffic over a router is also described, using MRTG to collect and beautify data. Chapter 7 includes methods of reducing said traffic such as http caches and a DNS slave at the remote site.
A border router to the Internet is used to raise related security issues and the use of proxy servers to screen access from the outside in or the inside out. This information bridges across chapters 6 and 8 and includes topics like packet filtering firewalls, port redirection and proxies. The flexibility of Linux is demonstrated by the ability to integrate routing and Internet servers on a single box. With obvious reservations about how wise that is, it is pertinent that failure detection, notification and recovery are all covered.
What's to like
The information starts out simple and builds on itself in cyclical nature as the book progresses. The six scenarios are the ones likely to be encountered in a production environment and illustrate the benefits of using Linux routers.The issues of choosing Linux as a router are well addressed, including discussions on thorny topics like "Total Cost of Ownership," and provide a framework for you to assess your own situation. The writer's style is clear and easy to read.
Different WAN and Internet telco links are discussed (POTS, frame relay, dedicated digital access circuit) including how to configure the link and what protocols to run over it.
Peripheral issues, such as troubleshooting tcp or proxy servers, are dealt with well. Information is provided to allow you to understand the integration with the routing infrastructure you are deploying. When the topic starts to drift from the task at hand the author makes good use of redirecting people interested in more detail to other references (Web sites, books).
What's annoying
The author is a part of the Debian project so some things have a bit of a Debian slant on them (this includes the file system layout referred to and the config files). This shouldn't be too much of an issue for most people, though it will require a thorough understanding of one's own system or problem-solving via your distribution's manual. WAN hardware and software discussions are limited by the author's experience, with a particular brand of card and one software package (wanpipe -- of which the author is the Debian maintainer) being focused on.Alternatives are mentioned, but not in great depth, and the examples therefore might not be portable to your choice of card or software.
Summary
If you are comfortable with enabling routing, IPchains, proxy servers and troubleshooting tcp/ip on Linux, this book will be of little use other than to provide a step-by-step approach. On the other hand, if you currently use brand-name routers but have sometimes wondered whether that 486 in the corner could be put to good use, this book will certainly guide you on your travels.
Table of Contents
Note: the author uses the elements to name boxen, hence the names of the chapters.- Routing Building Blocks (Hardware, Environment, Software)
- IP, Ethernet and Telephony Basics (Routing, Ethernet, WAN)
- Silicon - LAN Router (LAN Routing, IP Aliasing and Accounting)
- Erbium - an Extranet Router (IP Masq, IP Monitoring)
- Zinc - Frame Relay Router (WAN Hardware and Software, MRTG)
- Oxygen - Internet Router (Security, Firewalling, Failure Detection)
- Californium - Satellite Office Router (Caches and Slaves, Multifunction Routers, Remote System Support)
- Hafnium - Internet Services Router (Proxying, IP Redirection, Routing Daemons, Emergency Recovery)
- A) Links
- B) Compiling a Kernel
- C) Testing Strategies
- D) Ethics and Other Considerations
- E) GPL
You can purchase this book from ThinkGeek.
I prefer to use the lynksys router (Score:1)
Freesco (Score:2)
Re:So with old machines... (Score:2)
Virtually No Coverage of Dynamic Routing (Score:4)
On the other hand, I felt the title of the book constituted a promise that it would include good coverage of dynamic routing protocols like OSPF, RIP2, and others--all of which are available in strong Linux implementations.
This book covers the entire concept of dynamic routing in about 4 pages, in section 8.4--and the coverage is completely inadequate. There isn't usable information on setting up ANY dynamic routing protocol--OSPF isn't even in the index of the book. (It's on mention is in the glossary.)
Re:So with old machines... (Score:1)
I added an 8Mb ATI card, and all the spare SIMMs in the junkbox that would fit to get about 96Mb, and it goes like a train with truecolour driving a 'spare' 21" monitor. It's relatively quiet too. I believe there are either netboot or floppyboot options like this that can do away with the harddrive altogether to make a very quiet system - the 486 has no fan, and the PSU can be knobbled to shut up a bit.
Getting PCI video cards is getting harder though, and X network security sucks big time.
IPsec? (Score:1)
I'm reading the ora "Building Internet Firewalls" book now, has anyone tried the "Building Linux and OpenBSD Firewalls" book? It covers OpenBSD 2.5, will it be relevant for 2.8?
Thanks.
Some other points in the book (Score:2)
I liked the book, it's pretty easy reading and was definitely worth the time spent reading it.
Re:Virtually No Coverage of Dynamic Routing (Score:3)
Imagestream and Nbase-Xyplex do make heftier core-style Linux routers / layer 3 switches, but they aren't very widely deployed.
Re:Freesco (Score:4)
Freesco is by far easiest and most flexible out of the box router I could find... it supports just about every type of bridge you may need (ethernet dialup, ethernet ethernet, dial in server). It has a built in DHCP server, print server, dns server, web server, and web based control panel. Further, it all fits on a floppy.
I can set one of these things up on site in less then half an hour. I threw a couple of web based security audit tools at it, including running a version of Saint against it, and it scored as near to perfect as possible in every case (I left a trivial web server running and open to the outside so it could not get a perfect score).
The only drawback is the fact that they insist on trying to keep everything on a floppy, so they miss a couple of nice tools that would help me. This is a bad idea (IMHO), as I have stacks of 100 - 500 MB hard drives (that no one can use) laying around, but extra floppy drives are harder to come by (as people still use them in current systems). 100 MB hard drives are arguably cheaper (i.e. free) then 1.44M floppy drives ($19 or so)!
Anyway, I have two subnets behind my firewall, one traditional 10/t ethernet, and one wireless ethernet (based around webgear aviator 2.4 Ghz PCMCIA cards with ISA adapters if necessary).
Because they want it on a floppy, there is no room for the PCMCIA support, which means I have to have my other server do a little more complicated routing, and DHCP serving (a non-routable protocol) gets messy. It would be easier if all my subnets were anchored directly into the firewall... but I digress.
Anyway, if you want a very secure and easy to set up firewall, then take a good look at freesco. Run a setup script and answer 20 or so questions (all with reasonable defaults) and you have a great little full featured server on your old 486 (with 16 MB ram). The documentation is very good as well.
Personally, I think a dedicated firewall product like this is much more secure then trying to lock down a full distribution and using that... there are just fewer doors and windows for people to poke at and pry open, and much fewer tools to exploit if they do get in... not to mention that the entire OS partition gets mounted read only...
Bill
Re:So with old machines... (Score:1)
Well, one nice thing about using an old computer instead of a $200 NAT box, is that it can also run services for you, such as Squid, DNS cache, maybe even fringe things like nntpcache.
Every home or office should have one of these.  :-)
---
Re:MTBF? (Score:1)
An easy way to cover the redundancy requirement is to have a complete standby unit preconfigured and ready to slot in. All that is needed is two obsolete PCs with identical WAN adapter and NIC. Either go the floppy approach as with LinuxRouter or get Sandisks. Since a sandisk just looks like another harddrive, an old IDE hardrive will do in the spare router to save on sandisk costs (I don't think they ever fail anyway)
It's not hot swappable, so you may lose a couple of customers in the minute it takes to swap cables and boot from sandisk, but if you are running amazon.com obviously you have a budget to buy better. To put the reliability issue in perspective, where I live my ISP lost 75% of it's bandwidth on Monday and its routers all went nuts. We had traffic interuptions for hours while they reconfigured their network and what looked like numerous router reboots.
So for those on a limited budget Linux routers can be both reliable and very flexible but like MySQL they have limitations that means they are not a solution for all situations.
Re:I chose the webramp (aka, sonicwall) box (Score:1)
Monty
Re:I chose the webramp (aka, sonicwall) box (Score:2)
Closed source and security tends not to go together. By definition it means that no independant expert can possibly have audited the software.
Re:I chose the webramp (aka, sonicwall) box (Score:3)
It is small, makes no noise (not an issue for where I use it - 10krpm scsi drives and fans take care of that), works well and is easily configured. All for ~$130... saves on power, if you had a system dedicated to only the masq/firewalling, too.
There's no client license or anything - just use up all the IPs you want. Good stuff.
--
No fans? (Score:1)
Re:MTBF? (Score:1)
Hmm...
- 
 Most 486-class CPUs are adequately cooled with just a heatsink (an i486DX4-100 might need a fan, but <=66-MHz and/or 3.3-volt (Cyrix/AMD) CPUs often don't; my firewall uses a Cyrix 5x86-120 and it only has a smallish heatsink epoxied to the processor).
 
- 
 If your router setup will fit on a floppy, you can set things up so the floppy is only accessed at bootup.  If more space is required, you could get one of those CompactFlash-to-IDE adapters [dansdata.com] and an appropriately-sized CF card and use it in place of the usual spinning-metal contraption.
 
- 
 Once you've gotten the overall power consumption down low enough, if you're a little daring you could try removing the power supply fan.  With an old, slow processor and no HD, power consumption should be a small fraction of what the power supply can deliver.
 
Do that and you'll have no moving parts to wear out, and it'll still run Linux.Re:MTBF? (Score:1)
>kind I'm used to would give you industrial
>deafness from the fans! Take a look at any Cisco
>5500 or up - the fans on those babies could cool
Cisco 1600 series and Linksys Etherfast DSL
Amorphis
MTBF? (Score:3)
Amorphis
I have done this several times for clients... (Score:2)
My answer: it runs EMACS.
Re:Routing (Score:2)
It would be nice to have an updated "Advanced Routing Howto" that includes more information on the options for and configuration of such things as:
Secure IP (FreeS/WAN)
Routing daemons (Gated, Routed, Zebra, etc.)
(Layer 2) Bridging (also with firewalling, etc.)
Port / service redirection
Re:IPsec? (Score:1)
_____________
IPv6 ? (Score:2)
Re:ahh, yes... the typical trouble... (Score:1)
Re:So with old machines... (Score:1)
This is the true benefit of open source solutions. I think too many people get used to knowing things and forget that. Someone could write an interface for ipfwadm, ipchains, or ipmasqadm and make it look as pretty as they liked. But when it comes right down to it, you can look under the hood and see how the magic works. This holds just as true for my router as it does for the machine I sit at. This is an idea that's still spreading. It hasn't hit all ends of the market. But companies such as Myricom and IBM have produced open source software. Conglomerates such as the ISC and Kame forward research and developement of IPsec, IPv6, and other radical new toys. Closed, proprietary systems can be useful for ideas. New directions to go in (I could write a series of shell scripts to pull off the rather convenient Solaris 'share' commands, for example). But who wants to be stuck with them?
Hell, this book is even a good example of how to make money doing this. Everybody needs HOWTO's and man pages, and bound hardcopy is -convenient-.
Lanir
Hardware vs. Software routers (Score:1)
Re:I chose the webramp (aka, sonicwall) box (Score:2)
I think that you can define a DMZ host in addition to the NAT range. Admittedly that's just one host, but...
Besides, who says you can't do port forwarding of 53, 25/110, and 80/8080/443 from the outisde to static inside ips? You can disable dhcp on the inside you know...
Well, it is a moot point if you already got the sonicwall  :-)
--
Re:Freesco (Score:1)
Floppies are also extremely unreliable media. I haven't used it, but there should be some way to put in on hard drive. Floppies just sound like bad news.
What would be really cool is to configure it, then burn most of it to a bootable CD and use a zip drive for anything you need to save. Those newer 250 Meg zip drives could hold alot of logs if one didn't want to log to a differant systems syslog.
Re:MTBF? (Score:2)
are you high? ALL decent routers (aside from home access boxes) have MEGA fans inside! there is QUITE a bit of heat generated from silicon based forwarding (I work for a router company, I have some insight here).
more and more routers even have hard drives inside to save state, config files and event logs.
--
Re:MTBF? (Score:2)
having managed many top-brand routers and switches in my career, I can say that these things (ALL of the above) do fail from time to time. that's one major reason why they are swappable.
unless you go with compactPCI or pcmcia, there's nothing hot swappable about the x86 platform - which is what most linux routers are based on. and even with c-PCI, I believe the hot-swap standard is not supported under linux (last time I checked was about a year ago and support wasn't there).
for anything approaching an enterprise router, you NEED to have hot-swap support and shelf spares. its easy to have shelf spares with pci ethernet cards but the hot swap trick on a regular x86 motherboard will just get you a fried system. well, at least you won't have to worry about system breaks - a fused motherboard is the most secure gateway I can think of  ;-)
 
--
Re:I chose the webramp (aka, sonicwall) box (Score:2)
--
Re:I chose the webramp (aka, sonicwall) box (Score:3)
for an extra $50, I went with the webramp/sonicwall. it DOES allow a mix of public and private addresses. its not a "all nat or no nat" choice, which I find very limiting.
--
I chose the webramp (aka, sonicwall) box (Score:4)
it does nat (for 5 clients at the current licensing price; upgradable), all the usual stateful firewalling, routing, port forwarding, etc.
I'm a linux guy (by hobby and profession) yet I chose this standalone box. why? well, I WANTED a closed-source security box. I still run openbsd as my main access point but I wanted a 2nd level of protection. using linux for security is pretty laughable for 99% of the users out there. I think I have peace of mind now with one of these boxes in series with an openbsd box.
yeah, it wasn't free. but the ultra small footprint, the total lack of fan noise and the very usable web mgmt front-end made it an easy decision.
there are things that linux wins in. being a quiet and small footprint access router device isn't one of them.
--
Re:So with old machines... (Score:2)
I installed UMSDOS Slackware from the A and N floppies (around 10 in those days) on one of the PCs in the lab, then installed a kernel I compiled at home in my spare time - the kernel having routing enable. Then I added a spare NIC to this machine.
Re:So with old machines... (Score:2)
So with old machines... (Score:2)
Okay, it's cliche, but has anyone ever made a cluster of old boxes? Perhaps even for scalable routing?
----
Re:Freesco (Score:1)
Re:So with old machines... (Score:2)
When I was inventorying asbestos restricted spaces at the university of washington (another wacky stage in my career spiral) I stumbled across an interesting closet. I don't know what the researcher was working on, but he/she'd taken a huge stack of surplus Gateway desktops and lag-screwed them together with 2x4s for a poor man's rack mounted array. With University surplus machines practically free to internal users, I'm surprised there aren't more people doing this.
How about a link? (Score:1)
\ Why do people always talk about something and not provide a link? If we haven't heard of it, we don't know where it is. True, freesco.org is (should be) an obvious guess, but for others it's much more difficult, like when I tried to find bugtraq a year or so ago. \
Re:So with old machines... (Score:1)
Slow moving marsupials and the women that love them
Re:So with old machines... (Score:1)
build an innovative house
use them as voting machines for blind Floridians
take them apart and serve the chips with burgers and ketchup
use them as hitech doorstops
PS. The other serious use is as a firewall.
Re:IPsec? (Score:1)
Routing (Score:2)
The people who wrote it really know what they're talking about.
Also, Linux router [linuxrouter.org] is a router on a floppy disk with most of the hard work done for you, so a lot of the information in the book will be redundant.
And just as a point, software routing is not really appropriate for large networks, so you're not going to throw away those Cisco boxes any time now.
Re:ahh, yes... the typical trouble... (Score:1)
ahh, yes... the typical trouble... (Score:2)
Well, this seems to be one of the biggest damn challenges, doesn't it... people cannot get past their biases to write something more universal. Now, before someone goes off and tries to kill me for this, let me continue...
Yes, I know that you need to give examples in such texts. Yes, I know there are many differing distributions, and many have their little nuances and quirks. I realize that it's not feasable to cover all of these subtleties - BUT that doesn't give an author an excuse to not acknowlege those subtleties. Yes, its hard to do, but in all fairness, if you write such a text for other, completely non-related topics/subjects, you cannot get away with heavy bias - without flat-out saying so - particularly in the title, or at least on the front cover. Its only fair to the reader.
Again - I don't want to start one of those oh-so-fun flame wars over who's distro is better than who's, or why YOU think the bias must be there. I'm simply saying that the bias doen't HAVE to be there, and I'd really like to see someone take the initiative and put some effort into working around this.
And, yes, I'm sure there are some level-headed individuals, and maybe even groups, trying to do this. I (we - see the bio) do not live within the "geek" culture... we're linux fans, we're BSD fans, we're gamers, we're fairly unusual users... but it does not permeate our lives - its only a small part of what we do. And sometimes, we're the ones who need to get a book like this, and make it work for us...
Just some food for thought
Fast Ethernet wirespeed routing w Linux (Score:1)