NOTES ON SETTING UP A SLACKWARE-10.2 SERVER
#################################################################################

	1. Background:
	2. Setting up gateway access to the internet:
	3. Setting up file sharing with NFS:
	4. CUPS print server:
	5. HPOJ and CUPS:
	6. Setting up network scanning with saned:
	7. Setting up snort inline


#################################################################################

1. Background:
This is my getway server setup. Some people would criticise it as less than ideal since I have put gateway/firewall functions and internal lan services on the same box, but it suits my needs. Anyone else who sets themselves up similarly will have to decide for themslves if they will be are satisfied with the level of security afforded.

We have a home network consisting of a gateway/server and two workstations. I used IPCop on my gateway for two years but really also needed to share printers. After a 4 day look at Clark Connect I decided that I did not want to invest the time in learning how to manage a Red Hat based gateway/server. Being that I know and use Slackware daily on my workstations, I might as well use it as a server too.

At present this box:
	is a gateway
	an iptables firewall
	uses Snort to provide inline intrusion detection
	is a CUPS server sharing an HP-930c and an HP-PSC-2355
	provides scanner shares (PSC-2355)via sane.d
	provides network file shares for DVB time shifting and back ups from clients

I am using Slackware-10.2. Originally The server was an old box circa 2000 with a 533 mhz AMD CPU and 256 mb RAM. Two nics provided me with eth0 and eth1 and a 4 port USB/PCI card provided access for printers. Being lucky to find a shop with some older items in stock, I have recently upgraded to a new mobo and an Athlon 1800 xp CPU with 512 mb of RAM but the older gear worked well enough save for power supply and CPU fans getting a bit long in the tooth and noisey.

I initially installed Slack and got networking going with a monitor keyboard and mouse connected. From that point on I configured CLI with SSH or with a browser (and correct permissions) from my workstation. 

What I've written here is just a little more elaborate than notes. I would suspect that anyone who contemplates setting up a server themslves would have enough linux experience to be able to sort out the rest.

I am using the stock 2.6.13 kernel from /testing and except where stated otherwise, software is all off the Slackware-10.2 install disks.

2. Setting up gateway access to the internet:
This box is configure with slackware command "netconfig" with the following"
	hostname:	box
	domain name:	miles.home
	static IP:	192.168.1.1
	netmask:	255.255.255.0
	gateway:	192.168.1.1
	nameserver:	203.x.xxx.xx

I had actually setup my networking when netconfig ran during installation but those are what I entered except for the x's in my namserver but I'm sure my ISP will appreciate I put them there instead of the correct numbers.

I have an ADSL connection using a D-Link 302G modem set up in bridge mode so I will use pppoe to connect with my ISP and to configure it. I first need to run "pppoe-setup" and follow the prompts noting that I will not provide my ISP's DNS when prompted.

Connections are brought up with "pppoe-start" check out the pppoe manpage for further details. There might be a more appropriate place to do it but I run pppoe-start from rc.local.

Before I make a connection I will first need to copy my firewall script which is appropriately named rc.firewall into /etc/rc.d. The script /etc/rc.d/rc.inet2 will run this script if it is executable at boot. In a situation like this I need to start it now before I open up my ADSL connection so I will run it in terminal mode with /etc/rc.d/rc.firewall.

I can then use "pppoe-start" to get my connection up and then I will need to run "route add default ppp0" so that any client on the lan can access the net. I can then make up individual scripts for these commands of just add them to /etc/rc.d/rc.local and they will be run at the end of a boot after everything else is up and running.



3. Setting up file sharing with NFS:
I will be sharing 2 directories on /dev/hdb which is a 200 Gb hard drive that I back things up to as well as save digital TV shows to for viewing later.

Chapters 3 and 4 of the NFS-HOWTO by Christopher Smith tells all I need to know. I'll put relevant lines for relevant files below. Remember that /etc/rc.d/rc.nfsd and /etc/rc./rc.portmap will need to be executable If they are executable, /etc/rc.d/rc.inet2 will run these scripts at boot.

/etc/exports:

/mnt/hdb9/videos        192.168.1.2(rw,sync,no_root_squash) 192.168.1.3(rw,sync,no_root_squash)
/mnt/hdb9/backups       192.168.1.2(rw,sync,no_root_squash) 192.168.1.3(rw,sync,no_root_squash)

/etc/hosts.deny:

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

/etc/hosts.allow

portmap: 192.168.1.2 , 192.168.1.3
lockd: 192.168.1.2 , 192.168.1.3
rquotad: 192.168.1.2 , 192.168.1.3
mountd: 192.168.1.2 , 192.168.1.3
statd: 192.168.1.2 , 192.168.1.3

There will also need to be two new lines added to the clients' /etc/fstab:

192.168.1.1:/mnt/hdb9/videos    /videos         nfs     rw,hard,intr    0   0
192.168.1.1:/mnt/hdb9/backups   /var/backups    nfs     rw,hard,intr    0   0

In order for these directories to be mounted they will have be first created on the clients


In order to get file sharing up and running and in lieu of rebooting, run "/etc/rc.d/rc.nfsd start" and "/etc/rc.d/rc.portmap" then "mount -a" on clients.


4. CUPS Print Server:
In order to provide network shares for the scanner I have to run hpoj and CUPS but first I'll just set up print shares with CUPS to make sure CUPS is working right.

Printers can be configured just as they would be for a printer connected to a workstation but to make printer(s) available on the network I will either have to edit /etc/cups/cupsd.conf or make up my own cupsd.conf and copy it in. I've never really taken the time to understand all the options in cupsd.conf and this time around I will be using the cupsd.conf suggested by Carla Schroder in chapter 14 of the Linux Cookbook found easily enough on the internet.

	# /etc/cups/cupsd.conf
	# box.miles.home

	LogLevel debug
	Port 631

	<Location />
	Order Deny, Allow
	Deny From All
	Allow From 127.0.0.1
	Allow From 192.168.1.*
	</Location>

	BrowseAddress 192.168.1.255

	<Location /admin>
	AuthType Basic
	AuthClass System
	Order Deny,Allow
	Deny From All
	Allow From 127.0.0.1
	Allow From 192.168.1.2
	</Location>root@box:~#

	# end of /etc/cups/cupsd.conf


Each client will need to have the following (uncommented) line in /etc/cups/client/conf

	ServerName 192.168.1.1


5. HPOJ and CUPS
As far as I know, my options are rather limited when it comes to networking my HP-PSC scanner. I can do it with Sane but I need hpoj to access the scanner across the lan. Hpoj is no longer in development and has been replaced by HPLIP but the source is still available and it is an easy compile and there is good documentation avaialble in the source's /doc directory. As of yet HPLIP can not be used  to network HP scanners

All I need is is to untar the source, then cd into the directory and:

	./configure --prefix=/usr 
	make
	checkinstall
	installpkg hpoj-0.91-i386-1.tgz

I'm lazy. In this instance I have let checkinstall make the slack pack for me.

After I have connected my two printers and turned them on I will run "ptal-init-setup" a CLI wizard used to set up hpoj-managed devices. 

Note that ptal-init has to start before the print spooler (CUPS). I have made up an rc.hpoj script for starting hpoj. 

	#! /bin/bash
	#
	# Startup/shutdown script for hpoj
	# Note: This script must start before cupsd.
	
	case "$1" in
  	start)
		echo "Starting hpoj"
        		echo "ptal-init start"
		ptal-init start
		echo "ptal-init start"
		ptal-cups
        	;;
  	stop)
		echo "Stopping hpoj"        
		ptal-init stop
        	;;
	
 	 restart)
		echo "Stopping hpoj"
		ptal-init stop
		echo "Restarting hpoj"
		ptal-init start
		;;	
  
 	 *)
       	 echo $"Usage: $0 {start|stop|restart}"
        	exit 1
	;;
	esac

	exit $?

In order to get /etc/rc.d/rc.hpoj to run before /etc/rc.d/rc.cups put the following lines into /etc/rc.d/rc.M just befor the stanza for CUPS

	# Start hpoj before CUPS:
	if [ -x /etc/rc.d/rc.hpoj ]; then
	  /etc/rc.d/rc.hpoj start
	fi

If you already have an hpoj stanza in rc.M make sure it is called befor CUPS.

Since I started ptal-init when I set up my devices I will have to restart CUPS "with /etc/rc/rc.cups restart" before I can open up my CUPS server at 192.168.1.1:631.

I will then have to delete any previously configured printers on the server and set up new ones because I will now access printers as ptal devices and not usb devices. For example, when configuring my HP-PSC , I would select "Device URI: ptal:/mlc:usb:PSC_2350_series".


6. Setting up network scanning with saned:
Saned is the sane daemon that allows access to scanners across a network. I found what I needed to get this going in the hpoj docs and at http://penguin-breeder.org/sane/saned/. My notes are a bit terse concerning saned but I leave them that way.

Make sure hpoj is installed, properly working and that there is an rc.hpoj script in /etc/rc.d that is executable and that it is called from /etc/rc.d/.rc.M andt starts before cups

Add this line to /etc/services (at the bottom will do):
	sane-port          6566/tcp      # saned (network scanner daemon)

Add this line to /etc/inetd.conf (be sure the path is correct):
	sane-port  stream  tcp  nowait  saned.saned  /usr/sbin/saned saned 

Next restart  inetd with "/etc/rc.d/rc.inetd restart" or alternatively or send the inetd daemon an HUP signal: 

	root@box:/~# ps x | grep inetd
 	4680 ?        Ss     0:00 /usr/sbin/inetd
 	8418 pts/6    S+     0:00 less /etc/inetd.conf

and now that you know the pid::

	root@box:/~# kill -HUP 4680

Now to see if saned is at the sane-port, 6566 see if it is working: 
	root@box:/~# telnet localhost 6566
	Trying 127.0.0.1...
	Connected to localhost.
	Escape character is '^]'.
	^]
	Connection closed by foreign host.

Make sure there is a group "saned" and a user "saned and make sure  you have correct permissions for scanner device:

	root@box:/~# chown root:saned /dev/usb/scanner0 && chmod g+rw /dev/usb/scanner0

then check permission for scanner
	root@box:/~# ls -l /dev/usb/scanner0
	crw-rw----  1 root saned 180, 48 2001-03-26 07:04 /dev/usb/scanner0

Make sure that clients can access scanner by editing 192.168.1.1:/etc/sane.d/sane to allow client access. all I need to do is put "192.168.1.1/24" in as an uncommented line.

On the clients make sure that /etc/sane.d/dll.conf contains the word "net", that it is not commented out and that /etc/sane.d/net.conf has a line with the address of server, i.e. 192.168.1.1.


7. Setting up snort inline:
I have downloaded the snort-2.4.5 /src directory from www.slacky.it. This directory contains the source for snort-2.4.5 plus a snort rules tarball, snort.SlackBuild (the build script) and other relevant files. When I open snort.SlackBuild I can see that it has not been set up to compile snort for inline operation so I edit the script and add "--enable=inline" to the ./configure options and run the command "./snort.SlackBuild". 

When the package is ready I install it on the server.

As it turns out snort did not install as I would have liked it. There is an /etc/rules directory and all the config files are in /etc and not /etc/snort. Rather than fiddle with making a new package I will mkdir /etc/snort and move /rules and the config files into it.