userdoc:system-config

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
userdoc:system-config [2014/05/28 15:38]
abelbeck [Network and System Configuration]
userdoc:system-config [2016/12/02 19:07] (current)
abelbeck [Network Services]
Line 3: Line 3:
 It is assumed that the instructions for a "New Installation" were followed, "Persistent Storage" and "Security and Sound Files" have been configured. It is assumed that the instructions for a "New Installation" were followed, "Persistent Storage" and "Security and Sound Files" have been configured.
  
-By default a single ''/mnt/kd/rc.conf'' file contains the AstLinux configuration, using options defined as shell script variables.  If you do not wish to use the web interface for AstLinux configuration and management, edit the ''/mnt/kd/rc.conf'' file as desired and the rest of this document can be ignored.+By default a single ''/mnt/kd/rc.conf'' file contains the AstLinux configuration, using options defined as shell script variables. If you do not wish to use the web interface for AstLinux configuration and management, edit the ''/mnt/kd/rc.conf'' file as desired and the rest of this document can be ignored.
  
-Most users will want to use the web interface, the next step is via the Network Tab in the web interface:\\+Most administrators will want to use the web interface, the next step is via the Network Tab in the web interface:\\
 {{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\ {{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\
  
 {{:userdoc:system-config-save-settings.jpg?nolink|Save Settings}} {{:userdoc:system-config-save-settings.jpg?nolink|Save Settings}}
  
-Click "Save Settings" to save any changes, and additionally it creates the ''/mnt/kd/rc.conf.d/'' directory if it did not exist.  From that point on the single ''/mnt/kd/rc.conf'' file will be ignored, instead all the ''/mnt/kd/rc.conf.d/*.conf'' files will be used for the system configuration.  All web interface configurations will be saved as ''/mnt/kd/rc.conf.d/*.conf'' files.+Click "Save Settings" to save any changes, and additionally it creates the ''/mnt/kd/rc.conf.d/'' directory if it did not exist. From that point on the single ''/mnt/kd/rc.conf'' file will be ignored, instead all the ''/mnt/kd/rc.conf.d/*.conf'' files will be used for the system configuration. All web interface configurations will be saved as ''/mnt/kd/rc.conf.d/*.conf'' files.
  
 Every administrator will want to make a few changes in the Network Tab after a "New Installation", a basic guide is described below. Every administrator will want to make a few changes in the Network Tab after a "New Installation", a basic guide is described below.
Line 17: Line 17:
 {{:userdoc:system-config-external-interface.jpg?nolink|External Interface}} {{:userdoc:system-config-external-interface.jpg?nolink|External Interface}}
  
-All AstLinux configurations require an external interface to be defined.  Select the "Connection Type:" for your situation.+All AstLinux configurations require an external interface to be defined. Select the "Connection Type:" for your situation.
  
 Check "Local Domain" if the "Domain:" is unique to this box. Uncheck "Local Domain" if the "Domain:" is shared via an upstream DNS server. Check "Local Domain" if the "Domain:" is unique to this box. Uncheck "Local Domain" if the "Domain:" is shared via an upstream DNS server.
Line 25: Line 25:
 {{:userdoc:system-config-internal-interfaces.jpg?nolink|Internal Interfaces}} {{:userdoc:system-config-internal-interfaces.jpg?nolink|Internal Interfaces}}
  
-An internal (LAN/DMZ) interface is optional, but is often configured.  If AstLinux is used as a router with a public IP address, one or more internal interfaces will need to be defined.  Even if AstLinux sits behind the public router using a private IPv4 external address, it is often desired to place IP phones off an internal interface such that the "AstLinux System" (AstLinux hardware, ethernet switch, IP phones, etc.) connects to pre-existing network with a single network cable.+An internal (LAN/DMZ) interface is optional, but is often configured. If AstLinux is used as a router with a public IP address, one or more internal interfaces will need to be defined. Even if AstLinux sits behind the public router using a private IPv4 external address, it is often desired to place IP phones off an internal interface such that the "AstLinux System" (AstLinux hardware, ethernet switch, IP phones, etc.) connects to the pre-existing network with a single network cable.
  
 !!Tip ->!! Single interface hardware can utilize VLAN's to create tagged internal interfaces with the help of a managed ethernet switch. !!Tip ->!! Single interface hardware can utilize VLAN's to create tagged internal interfaces with the help of a managed ethernet switch.
Line 34: Line 34:
 {{:userdoc:system-config-firewall.jpg?nolink|Firewall}} {{:userdoc:system-config-firewall.jpg?nolink|Firewall}}
  
-AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[http://rocky.eld.leidenuniv.nl/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.  The Firewall is disabled by default.+AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[http://rocky.eld.leidenuniv.nl/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort. The Firewall is disabled by default.
  
 A feature of **AIF** is Firewall plugins that can add specific functionality outside of the core script. A feature of **AIF** is Firewall plugins that can add specific functionality outside of the core script.
Line 40: Line 40:
 !!Detailed Info ->!! **[[userdoc:tt_firewall_plugins|Firewall Plugins]]** !!Detailed Info ->!! **[[userdoc:tt_firewall_plugins|Firewall Plugins]]**
  
-The default configuration files are located in /mnt/kd/arno-iptables-firewall. Do not directly edit these files!   Either use the web interface or copy variables you wish to set from the firewall.conf file into the /mnt/kd/rc.conf.d/user.conf file.  The web interface should handle most use cases and is the recommended method.+The default configuration files are located in /mnt/kd/arno-iptables-firewall. Do not directly edit these files! Either use the web interface or copy variables you wish to set from the firewall.conf file to the **[[#advanced_configuration|Advanced Configuration]]** (''/mnt/kd/rc.conf.d/user.conf'' file). The web interface should handle most use cases and is the recommended method.
  
 !!Tip ->!! The Firewall must be enabled for a LAN/DMZ client to access a server upstream via the external interface. !!Tip ->!! The Firewall must be enabled for a LAN/DMZ client to access a server upstream via the external interface.
Line 46: Line 46:
 !!Tip ->!! VPN's require the Firewall to be enabled, and each have associated firewall plugins that will be automatically enabled. !!Tip ->!! VPN's require the Firewall to be enabled, and each have associated firewall plugins that will be automatically enabled.
  
-!!Note ->!! If you are currently accessing the web interface via the external interface, be certain to add a "Pass EXT->Local, TCP, 0/0, 443" firewall rule before enabling the Firewall.  But in production, keep the number of "Pass EXT->Local" firewall rules to only what is absolutely required when that interface has access to the public internet.  Use a VPN to remotely manage you AstLinux system.+!!Note ->!! If you are currently accessing the web interface via the external interface, be certain to add a "Pass EXT->Local, TCP, 0/0, 443" firewall rule before enabling the Firewall. But in production, keep the number of "Pass EXT->Local" firewall rules to only what is absolutely required when that interface has access to the public internet. Use a VPN to remotely manage your AstLinux system.
 ===== Network Time ===== ===== Network Time =====
 {{:userdoc:system-config-network-time.jpg?nolink|Network Time}} {{:userdoc:system-config-network-time.jpg?nolink|Network Time}}
  
-It is important for your AstLinux box to have the proper time set, therefore on every boot the system automatically tries to get the current time from an upstream NTP server.  Use the Network Time Settings above to define the NTP server(s) (local or remote) and your local timezone.+It is important for your AstLinux box to have the proper time set, therefore on every boot the system automatically tries to get the current time from an upstream NTP server. Use the Network Time Settings above to define the NTP server(s) (local or remote) and your local timezone.
  
 Additionally, a local NTP server is automatically enabled to support local network devices and IP phones. Additionally, a local NTP server is automatically enabled to support local network devices and IP phones.
 +
 +!!Detailed Info ->!! **[[userdoc:tt_ntp_client_server|NTP Client/Server (chrony) Configuration]]**
 ===== SMTP Mail Relay ===== ===== SMTP Mail Relay =====
 {{:userdoc:system-config-smtp-relay.jpg?nolink|SMTP Mail Relay}} {{:userdoc:system-config-smtp-relay.jpg?nolink|SMTP Mail Relay}}
  
-There are many situations when it is desired for AstLinux to send an email, eg. voicemail messages, error notifications, etc. .  Define the appropriate credentials for your upstream SMTP server.+There are many situations when it is desired for AstLinux to send an email, eg. voicemail messages, error notifications, etc. . Define the appropriate credentials for your upstream SMTP server.
  
 Common "SMTP Port:" values are: 25, 465 or 587. Common "SMTP Port:" values are: 25, 465 or 587.
Line 66: Line 68:
 {{:userdoc:system-config-ipv6-tunnel.jpg?nolink|IPv6 Tunnel}} {{:userdoc:system-config-ipv6-tunnel.jpg?nolink|IPv6 Tunnel}}
  
-If you only have IPv4 connectivity, it is possible to create a tunnel via IPv4 to support IPv6 connectivity.  One common service is www.tunnelbroker.net by Hurricane Electric.+If you only have IPv4 connectivity, it is possible to create a tunnel via IPv4 to support IPv6 connectivity. One common service is www.tunnelbroker.net by Hurricane Electric.
  
 !!Detailed Info ->!! **[[userdoc:tt_ipv6_tunnel_config|IPv6 Tunnel Configuration]]** !!Detailed Info ->!! **[[userdoc:tt_ipv6_tunnel_config|IPv6 Tunnel Configuration]]**
Line 73: Line 75:
 {{:userdoc:system-config-dynamic-dns.jpg?nolink|Dynamic DNS}} {{:userdoc:system-config-dynamic-dns.jpg?nolink|Dynamic DNS}}
  
-The Dynamic DNS service allows users with (often or seldom) changing public IPv4 addresses to set a public DNS record to consistently reach your AstLinux box on the public internet.  A Dynamic DNS provider is required, supplying you with the required credentials.+The Dynamic DNS service allows users with (often or seldom) changing public IPv4 addresses to set a public DNS record to consistently reach your AstLinux box on the public internet. A Dynamic DNS provider is required, supplying you with the required credentials.
  
-Available options: [disabled], [inadyn] or [ddclient]+Available methods: [disabled], [inadyn] or [ddclient]
  
-!!Tip ->!! When enabled, it is recommended to use [ddclient] as the method since it is the best supported and supports SSL updates to protect your credentials.+!!Tip ->!! When enabled, it is recommended to use [ddclient] as the method since it is actively supported and supports SSL updates to protect your credentials.
 ===== Network Services ===== ===== Network Services =====
 {{:userdoc:system-config-network-services.jpg?nolink|Network Services}} {{:userdoc:system-config-network-services.jpg?nolink|Network Services}}
  
-Many, many Network Services are supported by AstLinux.  Too many to itemize and describe here, but the more featured services have more detailed information within this documentation.+Many, many Network Services are supported by AstLinux. Too many to itemize and describe here, but the more featured services have detailed information within this documentation.
  
 !!Detailed Info ->!! **[[userdoc:tt_dnscrypt_proxy|DNSCrypt Proxy Server]]** !!Detailed Info ->!! **[[userdoc:tt_dnscrypt_proxy|DNSCrypt Proxy Server]]**
Line 88: Line 90:
  
 !!Detailed Info ->!! **[[userdoc:tt-ldap-server|LDAP Server Configuration]]** !!Detailed Info ->!! **[[userdoc:tt-ldap-server|LDAP Server Configuration]]**
 +
 +!!Detailed Info ->!! **[[userdoc:tt_zabbix_monitoring|Zabbix Monitoring Configuration]]**
  
 {{:userdoc:system-config-http-https.jpg?nolink|HTTP/HTTPS}} {{:userdoc:system-config-http-https.jpg?nolink|HTTP/HTTPS}}
  
-THe HTTP/HTTPS settings control the built-in web server.  The web server is used for the web interface as well as serving files for phone provisioning and other situations.+THe HTTP/HTTPS settings control the built-in web server. The web server is used for the web interface as well as serving files for phone provisioning and other situations.
  
 After you have visited the Prefs tab and specified the "Distinguished Name:" section (in the Prefs tab), you may check "Create New HTTPS Certificate" followed by "Save Settings" (in the Network tab) to generate a custom self-signed certificate for the web interface. After you have visited the Prefs tab and specified the "Distinguished Name:" section (in the Prefs tab), you may check "Create New HTTPS Certificate" followed by "Save Settings" (in the Network tab) to generate a custom self-signed certificate for the web interface.
  
-!!Note ->!! If you manually create the ''/mnt/kd/phoneprov/'' directory, HTTP/HTTPS serves any files under the ''/mnt/kd/phoneprov/'' directory with URL paths beginning with ''/phoneprov/'' Be sure to consider restricting ''/phoneprov/'' access as shown above.+!!Note ->!! If you manually create the ''/mnt/kd/phoneprov/'' directory, HTTP/HTTPS serves files under the ''/mnt/kd/phoneprov/'' directory with URL paths beginning with ''/phoneprov/'' . Be sure to consider restricting ''/phoneprov/'' access as shown above.
  
 {{:userdoc:system-config-vpn.jpg?nolink|VPN Types}} {{:userdoc:system-config-vpn.jpg?nolink|VPN Types}}
Line 108: Line 112:
     * IPsec Peers - Tunnel routed local and remote subnets using static IP addresses.     * IPsec Peers - Tunnel routed local and remote subnets using static IP addresses.
     * IPsec Mobile - Act as an IPsec server to allow remote IPsec client's with dynamic IP addresses to access selected network subnets.     * IPsec Mobile - Act as an IPsec server to allow remote IPsec client's with dynamic IP addresses to access selected network subnets.
-    * PPTP Server - Do not enable this server unless absolutely required for compatibility.  Both OpenVPN and IPsec are more secure choices.+    * IPsec strongSwan - Act as an IPsec endpoint using strongSwan. 
 +    * PPTP Server - Do not enable this server unless absolutely required for compatibility. Both OpenVPN and IPsec are more secure choices.
  
 !!Detailed Info ->!! **[[userdoc:tt_openvpn_server|OpenVPN Configuration]]** !!Detailed Info ->!! **[[userdoc:tt_openvpn_server|OpenVPN Configuration]]**
Line 114: Line 119:
 !!Detailed Info ->!! **[[userdoc:tt_ipsec_vpn_apple_ios|IPsec VPN Configuration]]** !!Detailed Info ->!! **[[userdoc:tt_ipsec_vpn_apple_ios|IPsec VPN Configuration]]**
  
-!!Note ->!! VPN's require the Firewall to be enabled, and each have associated firewall plugins that will be automatically enabled.+!!Detailed Info ->!! **[[userdoc:tt_ipsec_vpn_strongswan|IPsec VPN (strongSwan) Configuration]]**
  
 +!!Note ->!! VPN's require the Firewall to be enabled, and each have associated firewall plugins that will be automatically enabled.
 ===== UPS Monitoring ===== ===== UPS Monitoring =====
 {{:userdoc:system-config-ups.jpg?nolink|UPS Monitoring}} {{:userdoc:system-config-ups.jpg?nolink|UPS Monitoring}}
Line 125: Line 131:
 {{:userdoc:system-config-advanced.jpg?nolink|Advanced Configuration}} {{:userdoc:system-config-advanced.jpg?nolink|Advanced Configuration}}
  
-Not every configuration option of AstLinux has a web interface implementation, in those cases the configuration variables must be defined manually.  The "User System Variables:" is for such a case, and edits the ''/mnt/kd/rc.conf.d/user.conf'' file by clicking on the **Edit User Variables** button.+Not every configuration option of AstLinux has a web interface implementation, in those cases the configuration variables must be defined manually. The "User System Variables:" is for such a case, and edits the ''/mnt/kd/rc.conf.d/user.conf'' file by clicking on the **Edit User Variables** button.
  
 Configuration variables are specified using the format: Configuration variables are specified using the format:
  • userdoc/system-config.1401309524.txt.gz
  • Last modified: 2014/05/28 15:38
  • by abelbeck