Introduction Creating a low end server for SOHO. Small office and home (SOHO) servers have low demand for computer resources and bandwidth. With a small factor (small sized) computer a secure solution could be created, based on Smoothwall (http://smoothwall.org/) and UML (http://user modelinux.sourceforge.net/). This combination give users secure internet access through a firewall, and a secure environment to deliver web content through the internet. This system, besides a xdsl connection and dynamic DNS, results in a very cheap solution. Today desktop systems are powerfull enougth to run server applications and respond to low to medium (hundred to thousands) connections at the same time, with a relatively good response time. However, most SOHO have in average very low requirements (tens to hundred connection at the same time). A typical system seen today has a powerfull microprocessor (2.4 3.2 Ghz), a handfull of RAM memory (256 MB), and high capacity hard disks (80 120 Ghz 7200rpm + 8MB cache). Such a system has the needed power to commit as low end servers. For this project, a small factor sized (small sized) system was selected. The selection consisted of an Asus Pundit (http://www.asus.com/products/desktop/pundit/overview.htm). This system comes with a socket 478 for a Pentium 4, a multicard reader (SD, SM, MS, MMC), IEEE 1394 port, USB2.0 interface, headphone jack, PCMCIA slot, DVI out, TV out, ne2000 compatible network connection, an serial and parallel connectors. The Asus pundit has also two pci sockets and place for a 3½ hard disk, and a bay for a CD. I had configured this system with a Pentium 4 2.4 Ghz, 256 MB DRR SDRAM, a 80GB hard disk, and an aditional ethernet card. The cost of the system may round about US$ 350 700, depending on your location. System Configuration The first step is to install smoothwall. Smoothwall 2.0 is a router/firewall based on Linux. It is open source, that mean its freely downlodable and distributable. The setup and administration of smoothwall is extensivelly reviewed in the documentation found on the smoothwall site. As the setup of smoothwall is out of the scope of this review, we will only reffer to the specific points related with this project. Begin by downloading the smoothwall ISO image and writing it into a R CD. Boot the computer from the CDROM and follow the install instructions until the system is ready for reboot. Some special considerations about the configuration of
the system are detailed in the Appendix A. After we are sure we have setup correctly the system, and connect to the internet through a xdsl connection, we proccede to install the User mode linux, and make the necessary adaptation to be able to run within our smoothwall distribution as its base system. To accomplish this, we have to install a software packages named bridge utils. As Smoothwall is derivated from RedHat 7.0, we can find and download prebuilded packages from any RedHat mirror. We downloaded it from: (http://updates.ecsc.co.uk/apt/firehat 1.6 i386/rpms.updates/redhat/rpms/bridge utils 0.9.7 1.i386.rpm). After bridge utils has been installed, we have to reconfigure the kernel so we can load the Universal TUN/TAP device driver. The Tun/Tap device let the user to create vitual network interfaces that can connect to the real ethernet cards of the system and, from it to the intranet network or to the internet. Another posibility is to download a precompiled kernel with the last version from a known distribution (RedHat, SuSE, Debian, etc), which contains most of the kernel functionalities compiled as modules, and install the kernel and modules in the smoothwall /lib/modules/ directory. After both, bridge and Tun/Tap are installed, we need to modify some configuration files, as shown in sidebars 3 5. Sidebar 3. /home/uml/tap_up script.!/bin/sh insmod tun tunctl -d tap0 tunctl -d tap1 tunctl -u karpati -t tap0 tunctl -u karpati -t tap1 ifconfig tap0 10.1.0.5 netmask 255.255.255.252 broadcast 10.1.0.7 up ifconfig tap1 10.1.1.5 netmask 255.255.255.252 broadcast 10.1.1.7 up echo 1 > /proc/sys/net/ipv4/ip_forward route add -host 10.1.0.6 dev tap0 route add -host 10.1.1.6 dev tap1 echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp arp -Ds 10.1.0.6 eth0 pub Sidebar 4. /home/uml/tap_down script.!/bin/sh route del -host 10.1.0.18 dev tap0 ifconfig tap0 down tunctl -d tap0 rmmod tun Sidebar 5. /home/uml/uml_network script.!/bin/sh insmod tun tunctl -u karpati tunctl -d tap0 tunctl -u trancefer -t tap0
ifconfig tap0 10.1.0.17 netmask 255.255.255.252 broadcast 10.1.0.19 up echo 1 > /proc/sys/net/ipv4/ip_forward route add -host 10.1.0.18 dev tap0 echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp arp -Ds 10.1.0.18 eth0 pub The next step is to download an image distribution from the User mode Linux site. We downloaded the debian 3.0r0 (http://prdownloads.sourceforge.net/usermode linux/debian 3.0r0.ext2.bz2). This image is a bzip compressed filesystem that was formated as ext2. We create many virtual disks as follow: > dd if=/dev/zero of=/home/uml/root_fs count= bs= > mke2fs /home/uml/root_fs Now we uncompress and mount the debian distribution and copy some of the directories into the also mounted root_fs: > mkdir /mnt/uml1 /mnt/uml2 > mount /home/uml/debian-3.0r0.ext2 /mnt/uml1 -o loop > mount /home/uml/root_fs /mnt/uml2 -o loop > cd /mnt/uml1 > cp -r./etc./boot./dev./bin./sbin./usr./opt /mnt/uml2 > mkdir /mnt/uml2/home /mnt/uml2/var We have copied most of the directories of our debian distro into our filesystem. The reason we excluded /home and /var from the root_fs is because we will mount it as a read only system. So we create two new virtual filesystem and call them var_fs and home_fs : > dd if=/dev/zero of=/home/uml/var_fs count= bs= > mke2fs /home/uml/var_fs > mount /home/uml/var_fs /mnt/uml2 -o loop > cp -r./var /mnt/uml2 > dd if=/dev/zero of=/home/uml/home_fs count= bs= > mke2fs /home/uml/home_fs > mount /home/uml/home_fs /mnt/uml2 -o loop > cp -r./home /mnt/uml2 Now we proceed with the configuration of the debian system. We mount the root_fs and modify /etc/fstab so it can find our three partitions on booting (sidebars 6 8). Sidebar 6. /etc/fstab /dev/ubd/0 / ext2 defaults,errors=remount-ro 0 1
/dev/ubd/1 /var ext2 defaults,errors=remount-ro 0 1 /dev/ubd/2 /home ext2 defaults,errors=remount-ro 0 1 /dev/ubd/3 /tmp ext2 defaults,errors=remount-ro 0 1 /dev/ubd/4 none swap default 0 0 proc /proc proc defaults 0 0 Sidebar 7. /etc/inittab /etc/inittab: init(8) configuration. $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ The default runlevel. id:2:initdefault: Boot-time system configuration/initialization script. This is run first except when booting in emergency (-b) mode. si::sysinit:/etc/init.d/rcs What to do in single-user mode. ~~:S:wait:/sbin/sulogin /etc/init.d executes the S and K scripts upon change of runlevel. Runlevel 0 is halt. Runlevel 1 is single-user. Runlevels 2-5 are multi-user. Runlevel 6 is reboot. l0:0:wait:/etc/init.d/rc 0 l1:1:wait:/etc/init.d/rc 1 l2:2:wait:/etc/init.d/rc 2 l3:3:wait:/etc/init.d/rc 3 l4:4:wait:/etc/init.d/rc 4 l5:5:wait:/etc/init.d/rc 5 l6:6:wait:/etc/init.d/rc 6 Normally not reached, but fallthrough in case of emergency. z6:6:respawn:/sbin/sulogin What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now Action on special keypress (ALT-UpArrow). kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." What to do when the power fails/returns. pf::powerwait:/etc/init.d/powerfail start pn::powerfailnow:/etc/init.d/powerfail now po::powerokwait:/etc/init.d/powerfail stop /sbin/getty invocations for the runlevels. The "id" field MUST be the same as the last characters of the device (after "tty").
Format: <id>:<runlevels>:<action>:<process> Note that on most Debian systems tty7 is used by the X Window System, so if you want to add more getty's go ahead but skip tty7 if you run X. 0:2345:respawn:/sbin/getty 38400 vc/0 1:2345:respawn:/sbin/getty 38400 vc/1 2:2345:respawn:/sbin/getty 38400 vc/2 c:2345:respawn:/sbin/getty 38400 serial/0 0:2345:respawn:/sbin/getty 38400 tty0 1:2345:respawn:/sbin/getty 38400 tty2 3:23:respawn:/sbin/getty 38400 tty3 4:23:respawn:/sbin/getty 38400 tty4 5:23:respawn:/sbin/getty 38400 tty5 6:23:respawn:/sbin/getty 38400 tty6 Example how to put a getty on a serial line (for a terminal) T0:23:respawn:/sbin/getty -L ttys0 9600 vt100 T1:23:respawn:/sbin/getty -L ttys1 9600 vt100 Example how to put a getty on a modem line. T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttys3 Sidebar 8. /etc/hostname virtual_1 Sidebar 9. /etc/network/interfaces Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or /usr/share/doc/ifupdown/examples for more information. auto lo iface lo inet loopback auto eth0 iface eth0 inet static up route add -net 10.1.0.16 netmask 255.255.255.252 gw 10.1.0.5 up route add -net 10.1.0.12 netmask 255.255.255.252 gw 10.1.0.5 address 10.1.0.6 netmask 255.255.255.252 broadcast 10.1.0.7 iface eth1 inet static up route add -net 10.1.1.16 netmask 255.255.255.252 gw 10.1.1.5 up route add -net 10.1.1.12 netmask 255.255.255.252 gw 10.1.1.5 address 10.1.1.6 netmask 255.255.255.252
broadcast 10.1.1.7 gateway 10.1.1.5 Sidebar 10. /etc/resolve.conf search nameserver xxx.xxx.xxx.xxx nameserver yyy.yyy.yyy.yyy substitute nameservers with the addresses of the nameserver provided by your internet service provider. Now, we are ready to reboot and test the UML system. First, we have to run the script we created to setup the Tun/Tap network interface (see Appendix B for explanation of the setup of UML). > umount /mnt/uml1 > su root -c /home/uml/uml_init > linux ubd0=root_fs ubd1=var_fs ubd2=home_fs ubd3=tmp_fs ubd3=tmp_fs \ eth0=tuntap,tap0 eth1=tuntap,tap1 con=xterm con0=fd:0,fd:1 At this point we have finished to configure our debian system. Updating the Debian virtual server The debian distribution that we downloaded has only basic capabilities. It isn't also up to date. So we will su as root and run: > apt-get update > apt-get upgrade Done that, we will install the server software we want to run. In our case, we want to install apache ssl. > apt-get install apache-ssl
[[ To be continued ]]