Alpine Linux - User contributions [en]

Tutorials and Howtos

2014-01-07T08:52:06Z

Mhavela: /* Other Servers */ Send SMS using gnokii

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.

We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}
== Storage ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' 
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]

* [[Setting up disks manually]] 
* [[Setting up a software RAID1 array]]

* [[Setting up encrypted volumes with LUKS]]
* [[Setting up Logical Volumes with LVM]]
** [[Setting up LVM on GPT-labeled disks]]
* [[Filesystems|Formatting HD/Floppy/Other]] 

* [[Setting up iSCSI]]
** [[iSCSI Raid and Clustered File Systems]]
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' 
* [[Linux iSCSI Target (TCM)]]
* [[Disk Replication with DRBD]] 

* [[Burning ISOs]] 
* [[Bootmanagers]]
* [[Migrating data]]

== Networking ==

* [[Configure Networking]]
* [[Connecting to a wireless access point]]
* [[Bonding]]
* [[Vlan]]
* [[Bridge]]
* [[How to configure static routes]]

* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''

* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Setting up Satellite Internet Connection]]
* [[Using Alpine on Windows domain with IPSEC isolation]]

* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' 
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''

* [[Experiences with OpenVPN-client on ALIX.2D3]] 

* [[Generating SSL certs with ACF]] 
* [[Setting up unbound DNS server]]
* [[Setting up nsd DNS server]]
* [[TinyDNS Format]]
* [[Fault Tolerant Routing with Alpine Linux]] 
* [[Freeradius Active Directory Integration]]
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[OwnCloud]] ''(Installing OwnCloud)''

== Post-Install ==


* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''

** [[Comparison with other distros]]
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services]]

* [[Upgrading Alpine]]


* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''
* [[Changing passwords for ACF|Changing passwords]]
* [[Ansible]] ''(Configuration management)''

* [[Enable Serial Console on Boot]]
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]

== Desktop Environment ==

* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]
* [[EyeOS]] ''(Cloud Computing Desktop)''
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')
* [[Gnome Setup]]
* [[Awesome(wm) Setup]]

== Applications ==

=== Telephony ===
* [[Setting up Zaptel/Asterisk on Alpine]]
** [[Setting up Streaming an Asterisk Channel]]
* [[Freepbx on Alpine Linux]]
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

=== Mail ===
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
** [[Hosting Web/Email services on Alpine]]
* [[ISP Mail Server HowTo]] 
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* [[Protecting your email server with Alpine]]
* [[Setting up clamsmtp]]
* [[Setting up dovecot with imap and ssl]]

=== HTTP ===
* [[Lighttpd]]
** [[Lighttpd Https access]]
** [[Setting Up Lighttpd with PHP]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Cherokee]]
* [[Nginx]]
* [[Apache]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]

* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' 

* [[Setting up Transparent Squid Proxy]] 
** [[SqStat]] ''(Script to look at active squid users connections)''
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[Setting up Explicit Squid Proxy]]

* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[WordPress]] ''(Web software to create website or blog)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[DokuWiki]]

=== Other Servers ===
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''

* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

* [[Redmine]] ''(Project management system)''
* [[Request-Tracker]] ''(Ticket system)''
* [[OsTicket]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

* [[Cgit]]
** [[Setting up a git repository server with gitolite and cgit]] 
* [[Roundcube]] ''(Webmail system)''
* [[Glpi]] ''(Manage inventory of technical resources)''

* [[How to setup a Alpine Linux mirror]]
* [[Cups]]
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Sending SMS using gnokii]]

=== Monitoring ===
* [[Traffic monitoring]] 
* [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Setting up monitoring using rrdtool (and rrdcollect)]]
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' 
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 

* [[IP Accounting]] 
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[SqStat]] ''(Script to look at active squid users connections)''

* [[Piwik]] ''(A real time web analytics software program)''
* [[Awstats]] ''(Free log file analyzer)''
* [[Intrusion Detection using Snort]]
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''

* [[Webmin]] ''(A web-based interface for Linux system)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Linfo]]

* [[Setting up lm_sensors]]

== Misc ==

* [[:Category:Shell]]
* [[:Category:Programming]]
* [[Running glibc programs]]
* [[:Category:Drivers]]
* [[:Category:Multimedia]]

== Complete Solutions ==
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]

* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]
* [[Dynamic Multipoint VPN (DMVPN)]]

Sending SMS using gnokii

2014-01-07T08:47:45Z

Mhavela: Created page with "__NOTOC__ In this tutorial we are using {{pkg|gnokii}} to send SMS == Prerequisites == This doc is documented and tested based on Alpine Linux 2.7, but it might work for earl..."

__NOTOC__
In this tutorial we are using {{pkg|gnokii}} to send SMS

== Prerequisites ==
This doc is documented and tested based on Alpine Linux 2.7, but it might work for earlier versions too. 
You will also need some sort of modem that can send SMS (e.g. a USB dongle with a SIM-card).

== Install ==
* Install required package(s)
{{Cmd|apk add gnokii}}
* Create missing folders
{{Cmd|mkdir -p /root/.cache/gnokii/}}
* Physically attach a SMS capable modem to the host

== Configure ==
* Add the following content to '<tt>/etc/gnokiirc</tt>'
<pre>
[global]
port = /dev/ttyUSB0
model = AT
connection = serial
use_locking = yes
serial_baudrate = 115200
smsc_timeout = 30

[gnokiid]
binddir = /usr/bin/

[logging]
debug = off
rlpdebug = off
xdebug = off
</pre>
{{Note|You will most likely need to change the above config so it to suit your equipment and setup.}}
* Verify if the configuration works as expected
{{cmd|gnokii --identify}}
{{note|You should receive a output that looks something like this:<pre>
GNOKII Version 0.6.31
Cannot open logfile /root/.cache/gnokii/gnokii-errors
WARNING: cannot open logfile, logs will be directed to stderr
IMEI : 123456789012345
Manufacturer : Undefined
No flags section in the config file.
Model : Teltonika TM1
Product name : Teltonika TM1
Revision : VilniusSMD 05.94.01
</pre>
}}

== Sending SMS ==
* Now send a SMS
{{cmd|echo "Test sms" {{!}} gnokii --sendsms 123456}}
{{note|You will need to replace 123456 with the phone number you want to send your test SMS}}

Changing passwords for ACF

2013-11-20T15:22:33Z

Mhavela: Re-defining procedurs on how to set acf-password (now describing 'acfpasswd' feature)

__NOTOC__
This provides documentation for beginner Alpine Linux users on how to change passwords for the console login as well as the ACF. It is pretty simple.

== Changing ACF password using command line ==
Setting ACF password is done in various ways depending on how old your system is.

=== Set ACF-password on Alpine Linux 1.9 and newer ===
Set the ACF-password for a specific user (where '<TT>username</TT>' could be a system user, such as '<TT>root</TT>'):
{{Cmd|acfpasswd username}}
You would be prompted to enter a new password for this user.
{{Tip|You could set the ACF password to reflect the system user's password. In such case you would run a command that looks like this:
{{Cmd|acfpasswd -s username}}
''(The '<TT>-s</TT>' flag tells the system to copy the system user's password into ACF-password database.)''
}}

=== Set ACF-password on Alpine Linux 1.8 and older ===
The logins and passwords for the ACF users are stored in a separate location: '<TT>/etc/acf/passwd</TT>'.

The syntax for the '<TT>/etc/acf/passwd</TT>' file is as follows:

username:md5sumpassword::ROLE

For example, change the ACF user '<TT>Alpine</TT>' as follows:

# Generate a md5sum hash of the password '<TT>testing123</TT>', and send it to the passwd file: {{Cmd|echo -n "testing123" {{!}} md5sum >> /etc/acf/passwd}}
# Edit the passwd file to put the hash in the correct place as shown below, deleting the existing hash:
::<pre>Alpine:92707c3c2766ce04133e0f85681add8b::ADMIN</pre>

== To change passwords from the ACF Interface ==

Log on as a user with the Admin role, which has rights to change user passwords other than it's own.

Browse to '''System >> User Management'''

Under the Existing Account section, click '''[Edit this account]''' under the user whose password you want to change.

Enter the new password in the '<TT>Password</TT>' and '<TT>Password (Confirm)</TT>' fields.

Click '''[Save]''' to save the changes.

== Save changes ==
Remember to commit all changes (if you are running from 'tmpfs'): {{Cmd|lbu ci}}

[[Category:ACF]]
[[Category:Security]]

Include:Copying Alpine to Flash

2013-10-17T11:58:44Z

Mhavela: "modprobe vfat" if setup-bootable is failing

=== Boot Alpine Linux CD-ROM ===
# Insert the Alpine Linux CD-ROM into a computer.
# Boot the computer from the Alpine Linux CD-ROM.
#* This step may require changes to the BIOS settings to select booting from CD.
# Login with the username ''root''. No password is needed.

{{Tip|If you're not able to boot from the CD, then another option is to boot from a regular Alpine installation, and [[Burning_ISOs|manually mount the ISO image to {{Path|/media/cdrom}}]].}}

=== Determine the Device Name of the {{{1|Flash Medium}}} ===
Determine the name your computer uses for your {{{1|flash medium}}}. The following step is one way to do this.
# After inserting the {{{1|flash medium}}}, run the command:
#* {{Cmd|dmesg}}
#* At the end of this command you should see the name of your {{{1|flash medium}}}, likely starting with "sd". (For example: "sda").
#* The remainder of this document will assume that your {{{1|flash medium}}} is called /dev/sda

{{Warning|Be very careful about this. You do not want to mistakenly wipe your hard drive if it's on /dev/sda}}

=== Format {{{1|Flash Medium}}} ===
Run fdisk (replacing sda with your {{{1|flash medium}}} name):
{{Cmd|fdisk /dev/sda}}

# (''Optional'') - Create new partition table with one FAT32 partition
#* '''d''' Delete all partitions (this may take a few steps)
#* '''n''' Create a new partition
#* '''p''' A primary partition
#* '''1''' Partition number 1
#** Use defaults for first and last cylinder (just press [Enter] twice).
#* '''t''' Change partition type
#* '''c''' Partition type (Win95 FAT32/LBA)
#Verify that the primary partition is bootable
#* '''p''' Print list of partitions
#* If there is no '*' next to the first partition, follow the next steps:
#** '''a''' <big>Make the partition bootable (set boot flag)</big>
#** '''1''' Partition number 1
#'''w''' Write your changes to the device

=== Add Alpine Linux to the {{{1|Flash Medium}}} ===
To boot from your {{{1|flash medium}}} you need to copy the contents of the CDROM to the {{{1|flash medium}}} and make it bootable. Those two operations can be automated with the [[setup-bootable]] tool or can be done manually.

{{Note|If the following commands fail due to 'No such file or directory', you may have to remove and reinsert the {{{1|flash medium}}}, or even reboot, to get /dev/sda1 to appear}}

==== Automated ====
{{Tip|If using Alpine Linux 1.10.4 or newer, you can use this section to complete the install. Otherwise, follow the Manual steps below.}}
{{Note|The target partition has to be formatted. Use the <code>mkdosfs</code> command from the Manual steps below if needed.}}
# Run the [[setup-bootable]] script to add Alpine Linux to the {{{1|flash medium}}} and make it bootable (replacing sda with your {{{1|flash medium}}} name):
#: {{Cmd|setup-bootable /media/cdrom /dev/sda1}}
{{Note|If you get something like '<code>Failed to mount /dev/sda1 on /media/sda1</code>' when running the above [[setup-bootable]] command, you might want to try running:
{{Cmd|modprobe vfat}}
and then try re-run the [[setup-bootable]] command as described above.}}
{{Warning|If you are installing to a USB Stick, you may need to modify the {{Path|syslinux.cfg}} file to say <code>usbdisk</code> as [[#Wrong_Device_Name|described below]], or you will face possible problems booting and definite problems with the package cache. Recent versions of <code>setup-bootable</code> will specify the alpine_dev using a UUID instead, so it should work properly by default.}}

==== Manual ====
# (''Optional'') - If you created a new partition above, format the {{{1|flash medium}}} with a FAT32 filesystem (replacing sda with your {{{1|flash medium}}} name):
#: {{Cmd|apk add dosfstools mkdosfs -F32 /dev/sda1}}
# Install syslinux and MBR (replacing sda with your {{{1|flash medium}}} name):
#: {{Cmd|{{{|apk add syslinux dd if=/usr/share/syslinux/mbr.bin of=/dev/sda}}} syslinux /dev/sda1}}
#Copy the files to the {{{1|flash medium}}} (replacing sda with your {{{1|flash medium}}} name):
#: {{Cmd|<nowiki>mkdir -p /media/sda1
mount -t vfat /dev/sda1 /media/sda1
cd /media/cdrom
cp -a .alpine-release * /media/sda1/
umount /media/sda1</nowiki>}}

== Troubleshooting ==
=== Wrong Device Name ===
If you cannot boot from the {{{1|flash medium}}} and you see something like:
Mounting boot media failed.
initramfs emergency recovery shell launched. Type 'exit' to continue boot
then it is likely that the device name in {{Path|syslinux.cfg}} is wrong. You should replace the device name in this line:
append initrd=/boot/grsec.gz alpine_dev='''usbdisk''':vfat modules=loop,cramfs,sd-mod,usb-storage quiet
with the proper device name.
* For boot from USB, the device name should be 'usbdisk' (as shown above)
* For other options, you can run <code>cat /proc/partitions</code> to see the available disks (i.e. 'sda' or 'sdb')

=== Non-FAT32 Filesystems ===
When your {{{1|flash medium}}} is formatted with a filesystem other than FAT32, you might have to specify the necessary filesystem modules in the boot parameters.

To do so, mount the {{{1|flash medium}}} and change the {{Path|syslinux.cfg}} file line from
append initrd=/boot/grsec.gz alpine_dev=usbdisk:vfat modules=loop,cramfs,sd-mod,usb-storage quiet
to
append initrd=/boot/grsec.gz alpine_dev=usbdisk:'''ext3''' modules=loop,cramfs,sd-mod,usb-storage''',ext3''' quiet
in the case of an ext3 formatted partition. A similar procedure might apply to other filesystems (if they are supported by syslinux and the Alpine Linux kernel).

Dynamic Multipoint VPN (DMVPN)

2013-09-17T14:58:36Z

Mhavela: Allow this host to act as NTP server

{{Draft}}

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, DHCP, firewall, etc.).

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Alpine Setup ==
We will setup the network interfaces as follows:

bond0.3 = Management '''(not implemented below yet)''' 
bond0.8 = LAN 
bond0.64 = DMZ 
bond0.80 = Voice '''(not implemented below yet)''' 
bond0.96 = Internet Access Only (no access to the DMVPN network)'''(not implemented below yet)''' 
bond0.256 = ISP1 
bond0.257 = ISP2 

Boot Alpine in [[Installation#Basics|diskless mode]] and run <code>[[setup-alpine]]</code>

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.8'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.8? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.8 configuration for bond0.64, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Bonding ==
Update the bonding configuration:

{{cmd|echo bonding mode{{=}}balance-tlb miimon{{=}}100 updelay{{=}}500 >> /etc/modules}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

== NTP server ==
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config. 
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:

{{cat|/etc/chrony/chrony.conf|
server pool.ntp.org
initstepslew 10 pool.ntp.org
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift
allow all
}}

Restart chronyd for the changes to take effect
{{cmd|/etc/init.d/chronyd restart}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

python:
remote-control:
control-enable: no
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== Local DNS Zone ==
If you have a DNS zone that is only resolvable internally to your network, you will need a 2nd IP address on your LAN interface, and use NSD to host the zone.

First, add the following to the end of the <code>bond0.8</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0.8
...
...
up ip addr add 10.1.0.2/24 dev bond0.8
}}

Install package(s):

{{Cmd|apk add nsd}}

Create <code>/etc/nsd/nsd.conf</code>:

{{cat|/etc/nsd/nsd.conf|
server:
ip-address: 10.1.0.2
port: 53
server-count: 1
ip4-only: yes
hide-version: yes
identity: ""
zonesdir: "/etc/nsd"
zone:
name: location1.example.net
zonefile: location1.example.net.zone
}}

Create zonefile in <code>/etc/nsd/location1.example.net.zone</code>:

{{cat|/etc/nsd/location1.example.net.zone|
;## location1.example.net authoritative zone

$ORIGIN location1.example.net.
$TTL 86400

@ IN SOA ns1.location1.example.net. webmaster.location1.example.net. (
2013081901 ; serial
28800 ; refresh
7200 ; retry
86400 ; expire
86400 ; min TTL
)

NS ns1.location1.example.net.
MX 10 mail.location1.example.net.
ns IN A 10.1.0.2
mail IN A 10.1.0.4
}}

Check configuration then start:

{{Cmd|nsd-checkconf /etc/nsd/nsd.conf
nsdc rebuild
/etc/init.d/nsd start
rc-update add nsd}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>'''.

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|
#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF" {{=}} "bond0.8",
"C_IF" {{=}} "bond0.64",
"ISP1_IF" {{=}} "bond0.256",
"ISP2_IF" {{=}} "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" }
},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
{{Todo|Would we need to change this command - or add some description on why it's documented?}}

{{Cmd|echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n}}

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

{{cat|/etc/opennhrp/opennhrp-script|
#!/bin/sh

case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
}}

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}

Template:Cat

2013-09-05T08:00:22Z

Mhavela: Resizing text

<noinclude>{{Template}}
'''A box displaying file contents.'''

== Template Documentation ==
See also:

* [[Template:Cmd]]

====Example====

<nowiki>{{Cat|/path/file|Body '''text'''</nowiki> more 
Second line.}}

produces:

{{Cat|/path/file|Body '''text''' more
Second line.}}

You must escape characters as follows:

<pre>
= not inside [[..]] use &#61; or {{=}}
| not inside [[..]] use &#124; or {{!}}
{{ use &#123; twice or {{lb}}
}} use &#125; twice or {{rb}}
unmatched [[ use &#91; twice
unmatched ]] use &#93; twice
# use &#35;
</pre>

</noinclude><includeonly><div>Contents of {{Path|{{{1}}}}}<div style="background-color:#f9f9f9; border:1px dashed #2f6fab; border-left:1px solid #2f6fab; margin-top:-.2em; line-height:1.1em; padding:1em; font-family:monospace; font-size:10pt; white-space:pre; overflow:auto;">{{#tag:nowiki|{{{2}}}}}</div></div></includeonly>

Dynamic Multipoint VPN (DMVPN)

2013-09-05T07:58:01Z

Mhavela: Mostly formatting

{{Draft}}

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, DHCP, firewall, etc.).

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Alpine Setup ==
We will setup the network interfaces as follows:

bond0.3 = Management '''(not implemented below yet)''' 
bond0.8 = LAN 
bond0.64 = DMZ 
bond0.80 = Voice '''(not implemented below yet)''' 
bond0.96 = Internet Access Only (no access to the DMVPN network)'''(not implemented below yet)''' 
bond0.256 = ISP1 
bond0.257 = ISP2 

Boot Alpine in [[Installation#Basics|diskless mode]] and run <code>[[setup-alpine]]</code>

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.8'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.8? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.8 configuration for bond0.64, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Bonding ==
Update the bonding configuration:

{{cmd|echo bonding mode{{=}}balance-tlb miimon{{=}}100 updelay{{=}}500 >> /etc/modules}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

python:
remote-control:
control-enable: no
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== Local DNS Zone ==
If you have a DNS zone that is only resolvable internally to your network, you will need a 2nd IP address on your LAN interface, and use NSD to host the zone.

First, add the following to the end of the <code>bond0.8</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0.8
...
...
up ip addr add 10.1.0.2/24 dev bond0.8
}}

Install package(s):

{{Cmd|apk add nsd}}

Create <code>/etc/nsd/nsd.conf</code>:

{{cat|/etc/nsd/nsd.conf|
server:
ip-address: 10.1.0.2
port: 53
server-count: 1
ip4-only: yes
hide-version: yes
identity: ""
zonesdir: "/etc/nsd"
zone:
name: location1.example.net
zonefile: location1.example.net.zone
}}

Create zonefile in <code>/etc/nsd/location1.example.net.zone</code>:

{{cat|/etc/nsd/location1.example.net.zone|
;## location1.example.net authoritative zone

$ORIGIN location1.example.net.
$TTL 86400

@ IN SOA ns1.location1.example.net. webmaster.location1.example.net. (
2013081901 ; serial
28800 ; refresh
7200 ; retry
86400 ; expire
86400 ; min TTL
)

NS ns1.location1.example.net.
MX 10 mail.location1.example.net.
ns IN A 10.1.0.2
mail IN A 10.1.0.4
}}

Check configuration then start:

{{Cmd|nsd-checkconf /etc/nsd/nsd.conf
nsdc rebuild
/etc/init.d/nsd start
rc-update add nsd}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>'''.

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|
#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF" {{=}} "bond0.8",
"C_IF" {{=}} "bond0.64",
"ISP1_IF" {{=}} "bond0.256",
"ISP2_IF" {{=}} "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" }
},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
{{Todo|Would we need to change this command - or add some description on why it's documented?}}

{{Cmd|echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n}}

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

{{cat|/etc/opennhrp/opennhrp-script|
#!/bin/sh

case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
}}

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}

Dynamic Multipoint VPN (DMVPN)

2013-09-05T07:05:31Z

Mhavela: Enable IP forwarding

{{Draft}}

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, DHCP, firewall, etc.).

= Terminology =
'''NBMA''': ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

'''Hub''': the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

'''Spoke''': the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine do the following:
{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Remember to set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Alpine Setup ==
We will setup the network interfaces as follows:

bond0.3 = Management '''(not implemented below yet)''' 
bond0.8 = LAN 
bond0.64 = DMZ 
bond0.80 = Voice '''(not implemented below yet)''' 
bond0.96 = Internet Access Only (no access to the DMVPN network)'''(not implemented below yet)''' 
bond0.256 = ISP1 
bond0.257 = ISP2 

Boot Alpine in [[Installation#Basics|diskless mode]] and run <code>setup-alpine</code>

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.8'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.8? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.8 configuration for bond0.64, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Bonding ==
Update the bonding configuration:

echo bonding mode=balance-tlb miimon=100 updelay=500 >> /etc/modules

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to eth0. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:
{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

== Recursive DNS ==
{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:
<pre>
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

python:
remote-control:
control-enable: no
</pre>

Start unbound:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== Local DNS Zone ==
If you have a DNS zone that is only resolvable internally to your network, you will need a 2nd IP address on your LAN interface, and use NSD to host the zone.

First, add the following to the end of the bond0.8 stanza in /etc/network/interfaces:

<pre>
auto bond0.8
...
...
up ip addr add 10.1.0.2/24 dev bond0.8
</pre>

Then, install nsd:
{{Cmd|apk add nsd}}

Create /etc/nsd/nsd.conf:
<pre>
server:
ip-address: 10.1.0.2
port: 53
server-count: 1
ip4-only: yes
hide-version: yes
identity: ""
zonesdir: "/etc/nsd"
zone:
name: location1.example.net
zonefile: location1.example.net.zone
</pre>

Create zonefile in /etc/nsd/location1.example.net.zone:
<pre>
;## location1.example.net authoritative zone

$ORIGIN location1.example.net.
$TTL 86400

@ IN SOA ns1.location1.example.net. webmaster.location1.example.net. (
2013081901 ; serial
28800 ; refresh
7200 ; retry
86400 ; expire
86400 ; min TTL
)

NS ns1.location1.example.net.
MX 10 mail.location1.example.net.
ns IN A 10.1.0.2
mail IN A 10.1.0.4
</pre>

Check configuration then start:
{{Cmd|nsd-checkconf /etc/nsd/nsd.conf
nsdc rebuild
/etc/init.d/nsd start
rc-update add nsd}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true

Save and close the file.

{{Cmd|ifup gre1}}

== IPSEC ==
{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into /etc/racoon, using the filenames '''ca.pem''', '''cert.pem''', and '''key.pem'''.

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

<pre>
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
</pre>

Edit /etc/conf.d/racoon and unset RACOON_PSK_FILE:

<pre>
...
RACOON_PSK_FILE=
...
</pre>

Save and close the file.

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

<pre>
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination
</pre>

You must have a DNS A record ''hub.example.com'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

<pre>
#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0

</pre>

Save and close the file. Make it executable:

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and %HUB_GRE_IP% with the '''Hub''' node GRE IP address):

<pre>
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
</pre>

Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

Save and close the file.

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Set up the config in /etc/openvpn/openvpn.conf
<pre>
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
</pre>

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
{{Cmd|apk add awall}}

Enable IP forwarding
{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

<code>'''/etc/awall/optional/params.json'''</code>
<pre>
{
"description": "params",

"variable": {
"B_IF" = "bond0.8",
"C_IF" = "bond0.64",
"ISP1_IF" = "bond0.256",
"ISP2_IF" = "bond0.257"
}
}
</pre>

<code>'''/etc/awall/optional/internet-host.json'''</code>
<pre>
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
</pre>

<code>'''/etc/awall/optional/openvpn.json'''</code>
<pre>
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
</pre>

<code>'''/etc/awall/optional/clampmss.json'''</code>
<pre>
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
</pre>

<code>'''/etc/awall/optional/mark.json'''</code>
<pre>
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
</pre>

<code>'''/etc/awall/optional/dmvpn.json'''</code>
<pre>
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
</pre>

<code>'''/etc/awall/optional/vpnc.json'''</code>
<pre>
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" }
},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
}

]
}
</pre>

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate
rc-update add iptables}}

== ISP Failover ==

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our bond0.256 and bond0.257 interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:
<pre>
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}

</pre>

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:
<pre>
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
</pre>

Start pingu:
{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via bond0.256 so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
{{Cmd|echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n}}

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:
<pre>
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
</pre>
Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:
<pre>
#!/bin/sh

case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
</pre>

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:
<pre>
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
</pre>

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
TODO

Create a Bootable Device

2013-08-22T06:56:23Z

Mhavela: /* Creating a bootable Alpine Linux USB Stick with UNetbootin */ Updated link to download page

== Creating a bootable Alpine Linux USB Stick with UNetbootin ==

UNetbootin is a graphical tool that allows you to create bootable Live USB drives for Ubuntu, Fedora, and other Linux distributions without burning a CD. UNetbootin is available for many distributions and Windows. This process applies to all versions of Alpine Linux, and results in a '''run-from-ram''' style installation.

=== Requirements ===
To create a bootable Alpine Linux USB drive, you will need:

* An Alpine Linux ISO image file ([http://alpinelinux.org/downloads Download])
* A partitioned and formatted USB drive
* [http://unetbootin.sourceforge.net/ UNetbootin]

=== Process ===

After the launch of UNetbootin, click the '''Diskimage''' radio button, and then the '''...''' button to select the Alpine ISO image.

[[File:Unetbootin.png|size=400]]

When you selected your USB device under '''Device'' and press '''OK''' to proceed. When UNetbootin is done, your USB drive is ready to use.

== Creating a bootable Alpine Linux USB Stick from the command line ==

This process applies to Alpine Linux 1.9.0 or later, and results in a '''run-from-ram''' style installation.

=== Requirements ===
In order to follow this document, you will need:
* Alpine Linux CD-ROM ([[Downloads|Download]] a .iso file containing an Alpine release.)
* A USB drive (flash, external HD, card reader, etc.)

{{:Include:Copying Alpine to Flash|USB stick}}
=== Slow USB Devices ===
Specifying the 'waitusb=X' option at the end of the syslinux.cfg line might help with certain USB devices that take a bit longer to register. X stands for the amount of seconds kernel will wait before looking for the installation media.
append initrd=/boot/grsec.gz alpine_dev=usbdisk:vfat modules=loop,cramfs,sd-mod,usb-storage quiet '''waitusb=3'''

== See Also ==
{{:Include:Installing_Alpine_see_also}}

[[Category:Installation]]

FaxServer using Asterisk

2013-07-31T06:17:10Z

Mhavela: How to send faxes (e.g. for testing)

{{Draft|This is a experimental page to see if this could replace a more complex setup using Asterisk+IAXmodem+hylafax}}
This document aims to create a as simple as possible to setup fax server to send and receive faxes using {{pkg|asterisk}} and {{pkg|asterisk-fax}}.
__NOTOC__
= Installation =
This wiki-doc is based on [http://www.alpinelinux.org/downloads Alpine Linux 2.6] ''(but might also work on version 2.1.3 or higher)''

Start by [[Installation|setting up]] a Alpine Linux base system ''(you will most likely want to run <code>setup-alpine</code> to setup the most basic settings)''

=== Firewall ===
You might want to setup a firewall to protect your system. We will not address this task in this document. Some firewall alternatives in Alpine Linux are
* [[How-To_Alpine_Wall|AWall]]
* Shorewall
* iptables

= Configure email =
=== Install required packages ===
We will use the package {{pkg|email}} to send the faxes by email to various recipients. Lets start by installing the package
{{cmd|apk add email}}

==== General configuration ====
* Edit the appropriate file
{{cmd|vi /etc/email/email.conf}}
{{tip|Work with your SMTP provider to set the appropriate settings. Most likely you will want to
* Change the variables <code>SMTP_SERVER</code>, <code>SMTP_PORT</code>, <code>MY_NAME</code>, <code>MY_EMAIL</code>, <code>ADDRESS_BOOK</code>
* Comment out the variable <code>SIGNATURE_FILE</code>
}}

==== Address book ====
* Edit the appropriate file ''(In this example we assume you did not change the value of <code>ADDRESS_BOOK</code> variable).
{{cmd|vi /etc/email/email.address.template}}
* Define some email addresses that suits your needs. The upcoming {{pkg|asterisk}} config assumes that you have some predefined records in this address book. Example:
{{cat|/etc/email/email.address.template|# Individual email addresses
single:joe {{=}} joe@foo.bar
single:jeff {{=}} jeff@foo.bar
single:jill {{=}} jill@foo.bar

# Group that will receive error reports
group: grp-support {{=}} joe, jeff

# Group that will receive faxes originated to extension 12345
group: grp-12345 {{=}} joe, jill
}}

==== Test functionality ====
When you done your {{pkg|email}} configuration you can test this by running commands like this:
{{cmd|email -s "testmail" -b jeff}}

= Configure Asterisk =
There are multiple ways to configure Asterisk. This document only describes a very basic setup which you might want to modify based on your needs. But by following this document, you should have a fully functional fax-server using only {{pkg|asterisk}} and {{pkg|asterisk-fax}}.

=== Install required packages ===
At this stage your Alpine Linux only holds some basic packages for base functionallity. We will need to install some extra packages in order to get the fax functionallity.
{{cmd|apk add asterisk asterisk-fax}}

==== General setup ====
Set some general settings
* Edit the appropriate file
{{cmd|vi /etc/asterisk/asterisk.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/asterisk.conf|[global]
astetcdir {{=}}> /etc/asterisk
astmoddir {{=}}> /usr/lib/asterisk/modules
astvarlibdir {{=}}> /var/lib/asterisk
astspooldir {{=}}> /var/spool/asterisk
astrundir {{=}}> /var/run/asterisk
astlogdir {{=}}> /var/log/asterisk
astdbdir {{=}}> /var/lib/asterisk
astkeydir {{=}}> /var/lib/asterisk
astdatadir {{=}}> /var/lib/asterisk
astagidir {{=}}> /var/lib/asterisk/agi-bin
}}

==== Load appropreate modules ====
Asterisk needs some modules to be able to handle fax.
* Edit the appropriate file
{{cmd|vi /etc/asterisk/modules.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/modules.conf|[modules]
autoload{{=}}yes
}}
{{todo|Try changing this so we don't load more modules than we need}}

==== Enable SIP ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/sip.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/sip.conf|[general]
context{{=}}fax_incoming ; Default context for incoming calls
allowoverlap{{=}}no ; Disable overlap dialing support. (Default is yes)
bindport{{=}}5060 ; UDP Port to bind to (SIP standard port is 5060)
; bindport is the local UDP port that Asterisk will listen on
bindaddr{{=}}0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup{{=}}no ; Enable DNS SRV lookups on outbound calls
disallow{{=}}all ; First disallow all codecs
allow{{=}}ulaw ; Allow codecs (in order of preference)
allow{{=}}alaw ; Allow codecs (in order of preference)
udpbindaddr{{=}}0.0.0.0
canreinvite{{=}}yes
t38pt_udptl{{=}}yes,redundancy,maxdatagram{{=}}400
}}

==== Enable udptl ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/udptl.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/udptl.conf|[general]
}}

==== Configure fax ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/res_fax.conf}}
* Copy this content to the file
{{cat|/etc/asterisk/res_fax.conf|[general]
maxrate{{=}}9600
minrate{{=}}2400
statusevents{{=}}yes
}}

==== Configure dialplan ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/extensions.lua}}

* Copy this content to the file
{{cat|/etc/asterisk/extensions.lua|TODO...
}}

==== Permissions ====
For {{pkg|asterisk}} to be able to read the new config files, we need to set the correct permissions to the files
{{cmd|chown -R asterisk:asterisk /etc/asterisk}}

==== Start things up ====
Now its time to start up the services
{{cmd|/etc/init.d/asterisk start}}
Configure {{pkg|asterisk}} to autostart at next reboot
{{cmd|rc-update add asterisk}}

= Testing =
== Sending fax ==
=== Prepare ===
Save a '<tt>.tiff</tt>' file into '<tt>/tmp/</tt>' (in our example we name the file '<tt>/tmp/testfax.tiff</tt>').

Create a file that looks something like this ''(modify it for your local needs)''.
{{cat|/tmp/testfax.txt|[general]
Channel: SIP/123@10.20.30.40
Callerid: "TestFAX"
WaitTime: 30
Maxretries:3
RetryTime: 300
Account: 1000
Application: SendFax
Data: /tmp/testfax.tiff
}}
Change permissions on the newly created files
{{cmd|chown asterisk:asterisk /tmp/testfax*}}
=== Send the fax ===
Now copy the '<tt>/tmp/testfax.txt</tt>' to '<tt>/var/spool/asterisk/outgoing/</tt>'. The second you do that, {{pkg|asterisk}} will try to send the fax based on what you wrote in the file.
{{cmd|cp -p /tmp/testfax.txt /var/spool/asterisk/outgoing/}}

FaxServer using Asterisk

2013-07-31T06:06:18Z

Mhavela: udptl and sip configuration. Removing dialplan for now, lua version to come

FaxServer using Asterisk

2013-07-02T16:11:13Z

Mhavela: /* Configure dialplan */ Using variable for setting path to various files. Adding some debug output

{{Draft|This is a experimental page to see if this could replace a more complex setup using Asterisk+IAXmodem+hylafax}}
This document aims to create a as simple as possible to setup fax server to send and receive faxes using {{pkg|asterisk}} and {{pkg|asterisk-fax}}.
__NOTOC__
= Installation =
This wiki-doc is based on [http://www.alpinelinux.org/downloads Alpine Linux 2.6] ''(but might also work on version 2.1.3 or higher)''

Start by [[Installation|setting up]] a Alpine Linux base system ''(you will most likely want to run <code>setup-alpine</code> to setup the most basic settings)''

=== Firewall ===
You might want to setup a firewall to protect your system. We will not address this task in this document. Some firewall alternatives in Alpine Linux are
* [[How-To_Alpine_Wall|AWall]]
* Shorewall
* iptables

= Configure email =
=== Install required packages ===
We will use the package {{pkg|email}} to send the faxes by email to various recipients. Lets start by installing the package
{{cmd|apk add email}}

==== General configuration ====
* Edit the appropriate file
{{cmd|vi /etc/email/email.conf}}
{{tip|Work with your SMTP provider to set the appropriate settings. Most likely you will want to
* Change the variables <code>SMTP_SERVER</code>, <code>SMTP_PORT</code>, <code>MY_NAME</code>, <code>MY_EMAIL</code>, <code>ADDRESS_BOOK</code>
* Comment out the variable <code>SIGNATURE_FILE</code>
}}

==== Address book ====
* Edit the appropriate file ''(In this example we assume you did not change the value of <code>ADDRESS_BOOK</code> variable).
{{cmd|vi /etc/email/email.address.template}}
* Define some email addresses that suits your needs. The upcoming {{pkg|asterisk}} config assumes that you have some predefined records in this address book. Example:
{{cat|/etc/email/email.address.template|# Individual email addresses
single:joe {{=}} joe@foo.bar
single:jeff {{=}} jeff@foo.bar
single:jill {{=}} jill@foo.bar

# Group that will receive error reports
group: grp-support {{=}} joe, jeff

# Group that will receive faxes originated to extension 12345
group: grp-12345 {{=}} joe, jill
}}

==== Test functionality ====
When you done your {{pkg|email}} configuration you can test this by running commands like this:
{{cmd|email -s "testmail" -b jeff}}

= Configure Asterisk =
There are multiple ways to configure Asterisk. This document only describes a very basic setup which you might want to modify based on your needs. But by following this document, you should have a fully functional fax-server using only {{pkg|asterisk}} and {{pkg|asterisk-fax}}.

=== Install required packages ===
At this stage your Alpine Linux only holds some basic packages for base functionallity. We will need to install some extra packages in order to get the fax functionallity.
{{cmd|apk add asterisk asterisk-fax}}

==== General setup ====
Set some general settings
* Edit the appropriate file
{{cmd|vi /etc/asterisk/asterisk.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/asterisk.conf|[global]
astetcdir {{=}}> /etc/asterisk
astmoddir {{=}}> /usr/lib/asterisk/modules
astvarlibdir {{=}}> /var/lib/asterisk
astspooldir {{=}}> /var/spool/asterisk
astrundir {{=}}> /var/run/asterisk
astlogdir {{=}}> /var/log/asterisk
astdbdir {{=}}> /var/lib/asterisk
astkeydir {{=}}> /var/lib/asterisk
astdatadir {{=}}> /var/lib/asterisk
astagidir {{=}}> /var/lib/asterisk/agi-bin
}}

==== Load appropreate modules ====
Asterisk needs some modules to be able to handle fax.
* Edit the appropriate file
{{cmd|vi /etc/asterisk/modules.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/modules.conf|[modules]
autoload{{=}}yes
}}
{{todo|Try changing this so we don't load more modules than we need}}

==== Enable SIP ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/sip.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/sip.conf|[general]
context{{=}}fax_incoming ; Default context for incoming calls
allowoverlap{{=}}no ; Disable overlap dialing support. (Default is yes)
bindport{{=}}5060 ; UDP Port to bind to (SIP standard port is 5060)
; bindport is the local UDP port that Asterisk will listen on
bindaddr{{=}}0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup{{=}}yes ; Enable DNS SRV lookups on outbound calls
disallow{{=}}all ; First disallow all codecs
allow{{=}}ulaw ; Allow codecs (in order of preference)
allow{{=}}alaw ; Allow codecs (in order of preference)
udpbindaddr{{=}}0.0.0.0
}}

==== Configure dialplan ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/extensions.ael}}

* Copy this content to the file
{{cat|/etc/asterisk/extensions.ael|context fax_incoming {
_X. {{=}}> {
Set(FAXDATE{{=}}${STRFTIME(,,%Y%m%d%H%M%S)});
Set(FAXPATH{{=}}/etc/asterisk/spool);
Set(FAXFILE{{=}}${FAXPATH}/fax_incoming_${EXTEN}_${FAXDATE}.tif);
Answer();
System(/bin/mkdir -p ${FAXPATH});
Wait(1);
ReceiveFax(${FAXFILE},f);
Verbose(3,- Fax receipt completed with status: ${FAXSTATUS});
if ("${FAXSTATUS}" {{=}} "FAILED") {
Set(DEBUGINFO{{=}}FAXSTATUS: ${FAXSTATUS}\nFAXERROR: ${FAXERROR}\nLOCALSTATIONID: ${LOCALSTATIONID}\nLOCALHEADERINFO: ${LOCALHEADERINFO}\nREMOTESTATIONID: ${REMOTESTATIONID}\nFAXPAGES: ${FAXPAGES}\nFAXBITRATE: ${FAXBITRATE}\nFAXRESOLUTION: ${FAXRESOLUTION});
Verbose(3,- Trying to send a email reporting the failure});
System(/bin/echo "${DEBUGINFO}" {{!}} /usr/bin/email -s "Incoming fax for ${EXTEN} failed" grp-support);
System(/bin/mkdir -p ${FAXPATH}/fax-failed);
System(/bin/mv ${FAXFILE} ${FAXPATH}/fax-failed/);
System(/bin/echo '${FAXDATE} - Failed receiving fax originated for ${EXTEN}\n${DEBUGINFO}\n\n' >> ${FAXPATH}/error.log);
} else {
Verbose(3,- Trying to send a email containing the fax);
System(/usr/bin/email -s "Incoming fax for ${EXTEN} failed" -b -a ${FAXFILE} grp-${EXTEN});
System(/bin/mkdir -p ${FAXPATH}/fax-processed);
System(/bin/mv ${FAXFILE} ${FAXPATH}/fax-processed/);
System(/bin/echo '${FAXDATE} - Successfuly received fax originated for ${EXTEN} (${FAXFILE})' >> ${FAXPATH}/success.log);
};
};
}
}}

==== Permissions ====
For {{pkg|asterisk}} to be able to read the new config files, we need to set the correct permissions to the files
{{cmd|chown -R asterisk:asterisk /etc/asterisk}}

==== Start things up ====
Now its time to start up the services
{{cmd|/etc/init.d/asterisk start}}
Configure {{pkg|asterisk}} to autostart at next reboot
{{cmd|rc-update add asterisk}}

FaxServer using Asterisk

2013-07-02T15:00:31Z

Mhavela: More draft notes about asterisk as faxserver

{{Draft|This is a experimental page to see if this could replace a more complex setup using Asterisk+IAXmodem+hylafax}}
This document aims to create a as simple as possible to setup fax server to send and receive faxes using {{pkg|asterisk}} and {{pkg|asterisk-fax}}.
__NOTOC__
= Installation =
This wiki-doc is based on [http://www.alpinelinux.org/downloads Alpine Linux 2.6] ''(but might also work on version 2.1.3 or higher)''

Start by [[Installation|setting up]] a Alpine Linux base system ''(you will most likely want to run <code>setup-alpine</code> to setup the most basic settings)''

=== Firewall ===
You might want to setup a firewall to protect your system. We will not address this task in this document. Some firewall alternatives in Alpine Linux are
* [[How-To_Alpine_Wall|AWall]]
* Shorewall
* iptables

= Configure email =
=== Install required packages ===
We will use the package {{pkg|email}} to send the faxes by email to various recipients. Lets start by installing the package
{{cmd|apk add email}}

==== General configuration ====
* Edit the appropriate file
{{cmd|vi /etc/email/email.conf}}
{{tip|Work with your SMTP provider to set the appropriate settings. Most likely you will want to
* Change the variables <code>SMTP_SERVER</code>, <code>SMTP_PORT</code>, <code>MY_NAME</code>, <code>MY_EMAIL</code>, <code>ADDRESS_BOOK</code>
* Comment out the variable <code>SIGNATURE_FILE</code>
}}

==== Address book ====
* Edit the appropriate file ''(In this example we assume you did not change the value of <code>ADDRESS_BOOK</code> variable).
{{cmd|vi /etc/email/email.address.template}}
* Define some email addresses that suits your needs. The upcoming {{pkg|asterisk}} config assumes that you have some predefined records in this address book. Example:
{{cat|/etc/email/email.address.template|# Individual email addresses
single:joe {{=}} joe@foo.bar
single:jeff {{=}} jeff@foo.bar
single:jill {{=}} jill@foo.bar

# Group that will receive error reports
group: grp-support {{=}} joe, jeff

# Group that will receive faxes originated to extension 12345
group: grp-12345 {{=}} joe, jill
}}

==== Test functionality ====
When you done your {{pkg|email}} configuration you can test this by running commands like this:
{{cmd|email -s "testmail" -b jeff}}

= Configure Asterisk =
There are multiple ways to configure Asterisk. This document only describes a very basic setup which you might want to modify based on your needs. But by following this document, you should have a fully functional fax-server using only {{pkg|asterisk}} and {{pkg|asterisk-fax}}.

=== Install required packages ===
At this stage your Alpine Linux only holds some basic packages for base functionallity. We will need to install some extra packages in order to get the fax functionallity.
{{cmd|apk add asterisk asterisk-fax}}

==== General setup ====
Set some general settings
* Edit the appropriate file
{{cmd|vi /etc/asterisk/asterisk.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/asterisk.conf|[global]
astetcdir {{=}}> /etc/asterisk
astmoddir {{=}}> /usr/lib/asterisk/modules
astvarlibdir {{=}}> /var/lib/asterisk
astspooldir {{=}}> /var/spool/asterisk
astrundir {{=}}> /var/run/asterisk
astlogdir {{=}}> /var/log/asterisk
astdbdir {{=}}> /var/lib/asterisk
astkeydir {{=}}> /var/lib/asterisk
astdatadir {{=}}> /var/lib/asterisk
astagidir {{=}}> /var/lib/asterisk/agi-bin
}}

==== Load appropreate modules ====
Asterisk needs some modules to be able to handle fax.
* Edit the appropriate file
{{cmd|vi /etc/asterisk/modules.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/modules.conf|[modules]
autoload{{=}}yes
}}
{{todo|Try changing this so we don't load more modules than we need}}

==== Enable SIP ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/sip.conf}}

* Copy this content to the file
{{cat|/etc/asterisk/sip.conf|[general]
context{{=}}fax_incoming ; Default context for incoming calls
allowoverlap{{=}}no ; Disable overlap dialing support. (Default is yes)
bindport{{=}}5060 ; UDP Port to bind to (SIP standard port is 5060)
; bindport is the local UDP port that Asterisk will listen on
bindaddr{{=}}0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup{{=}}yes ; Enable DNS SRV lookups on outbound calls
disallow{{=}}all ; First disallow all codecs
allow{{=}}ulaw ; Allow codecs (in order of preference)
allow{{=}}alaw ; Allow codecs (in order of preference)
udpbindaddr{{=}}0.0.0.0
}}

==== Configure dialplan ====
* Edit the appropriate file
{{cmd|vi /etc/asterisk/extensions.ael}}

* Copy this content to the file
{{cat|/etc/asterisk/extensions.ael|context fax_incoming {
_X. {{=}}> {
Set(FAXDATE{{=}}${STRFTIME(,,%Y%m%d%H%M%S)});
Set(FAXFILE{{=}}/tmp/fax_${EXTEN}_${FAXDATE}.tif);
Answer();
Wait(1);
ReceiveFax(${FAXFILE},f);
Verbose(3,- Fax receipt completed with status: ${FAXSTATUS});
if ("${FAXSTATUS}" {{=}} "FAILED") {
Set(DEBUGINFO\nFAXSTATUS: ${FAXSTATUS}\nFAXERROR: ${FAXERROR}\nLOCALSTATIONID: ${LOCALSTATIONID}\nLOCALHEADERINFO: ${LOCALHEADERINFO}\nREMOTESTATIONID: ${REMOTESTATIONID}\nFAXPAGES: ${FAXPAGES}\nFAXBITRATE: ${FAXBITRATE}\nFAXRESOLUTION: ${FAXRESOLUTION});
Verbose(3,- Trying to send a email reporting the failure});
System(echo "${DEBUGINFO}" {{!}} /usr/bin/email -s "Incoming fax for ${EXTEN} failed" grp-support);
System(/usr/bin/mkdir -p /tmp/fax-failed);
System(/usr/bin/mv ${FAXFILE} /tmp/fax-failed/);
} else {
Verbose(3,- Trying to send a email containing the fax});
System(/usr/bin/email -s "Incoming fax for ${EXTEN} failed" -b -a ${FAXFILE} grp-${EXTEN});
System(/usr/bin/mkdir -p /tmp/fax-processed);
System(/usr/bin/mv ${FAXFILE} /tmp/fax-processed/);
};
};
}
}}

==== Permissions ====
For {{pkg|asterisk}} to be able to read the new config files, we need to set the correct permissions to the files
{{cmd|chown -R asterisk:asterisk /etc/asterisk}}

==== Start things up ====
Now its time to start up the services
{{cmd|/etc/init.d/asterisk start}}
Configure {{pkg|asterisk}} to autostart at next reboot
{{cmd|rc-update add asterisk}}

FaxServer using Asterisk

2013-07-02T06:57:06Z

Mhavela: Draft notes about fax server

Alpine Linux:Releases

2013-06-10T15:06:15Z

Mhavela: Added 2.4.11 release to the list

There are several releases of Alpine Linux available at the same time. There is not fix release cycle but rather every 6 month we make a snapshot of '''[[Edge|edge]]''' and make a release. We support each stable release for a certain time, normally for 2 years. We can do security fixes beyond that on request and when patches are available.

The latest release of Alpine Linux is: '''2.6.1''' [http://alpinelinux.org/release-2.6.1 Release notes], [http://git.alpinelinux.org/cgit/aports/log/?h=v2.6.1 git log]

{| cellpadding="5" border="1" class="wikitable"
|-
! Branch
! Branch Date
! Latest Release
! Previous minor releases
! Directory name
! Updates
! End of Support
|-
| '''[[edge]]'''
| current
| rolling
| -
| [http://nl.alpinelinux.org/alpine/edge/ edge]
| development
| n/a
|-
| '''v2.6'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.6-stable 2013-05-17]
| [http://alpinelinux.org/release-2.6.1 2.6.1]
| [http://alpinelinux.org/release-2.6.0 2.6.0]
| [http://nl.alpinelinux.org/alpine/v2.6/ v2.6]
| bugfixes
| 2015-05-01
|-
| '''v2.5'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.5-stable 2012-11-07]
| [http://alpinelinux.org/release-2.5.4 2.5.4]
| [http://alpinelinux.org/release-2.5.0 2.5.0], [http://alpinelinux.org/release-2.5.1 2.5.1], [http://alpinelinux.org/release-2.5.2 2.5.2], [http://alpinelinux.org/release-2.5.3 2.5.3]
| [http://nl.alpinelinux.org/alpine/v2.5/ v2.5]
| security only
| 2014-11-01
|-
| '''v2.4'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.4-stable 2012-05-02]
| [http://alpinelinux.org/release-2.4.11 2.4.11]
| [http://alpinelinux.org/node/13811 2.4.0], [http://alpinelinux.org/node/13812 2.4.1], [http://alpinelinux.org/node/13845 2.4.2], [http://alpinelinux.org/node/13906 2.4.3], [http://alpinelinux.org/release-2.4.4 2.4.4], [http://alpinelinux.org/release-2.4.5 2.4.5], [http://alpinelinux.org/release-2.4.6 2.4.6], [http://alpinelinux.org/release-2.4.7 2.4.7], 2.4.8, [http://alpinelinux.org/node/14664 2.4.9], [http://alpinelinux.org/release-2.4.10 2.4.10]
| [http://nl.alpinelinux.org/alpine/v2.4/ v2.4]
| security only
| 2014-05-01
|-
| '''v2.3'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.3-stable 2011-11-01]
| [http://alpinelinux.org/node/13503 2.3.6]
| [http://alpinelinux.org/node/6841 2.3.0], [http://alpinelinux.org/node/6866 2.3.1], [http://alpinelinux.org/node/6911 2.3.2], [http://alpinelinux.org/node/6999 2.3.3], [http://alpinelinux.org/node/13466 2.3.4 & 2.3.5]
| [http://nl.alpinelinux.org/alpine/v2.3/ v2.3]
| security only
| 2013-11-01
|-
| '''v2.2'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.2-stable 2011-05-03]
| [http://alpinelinux.org/node/6455 2.2.3]
| [http://alpinelinux.org/node/5237 2.2.0], [http://lists.alpinelinux.org/alpine-devel/1618.html 2.2.1], [http://alpinelinux.org/node/5955 2.2.2]
| [http://nl.alpinelinux.org/alpine/v2.2/ v2.2]
| on request only
| 2013-05-01
|-
| '''v2.1'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.1-stable 2010-11-01]
| [http://alpinelinux.org/node/5236 2.1.6]
| [[Release_Notes_for_Alpine_2.1.0|2.1.0]], [[Release_Notes_for_Alpine_2.1.1|2.1.1]], [[Release_Notes_for_Alpine_2.1.2|2.1.2]], [[Release_Notes_for_Alpine_2.1.3|2.1.3]], [http://alpinelinux.org/node/5230 2.1.4], [http://alpinelinux.org/node/5235 2.1.5]
| [http://nl.alpinelinux.org/alpine/v2.1/ v2.1]
| on request only
| 2012-11-01
|-
| '''v2.0'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.0-stable 2010-08-16]
| [http://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_2.0.3 2.0.3]
| [[Release_Notes_for_Alpine_2.0.0|2.0.0]], [[Release_Notes_for_Alpine_2.0.1|2.0.1]], [[Release_Notes_for_Alpine_2.0.2|2.0.2]]
| [http://nl.alpinelinux.org/alpine/v2.0/ v2.0]
| on request only
| 2012-04-01
|}

An archive for [[older releases]] is also available.

Setting up monitoring using rrdtool (and rrdcollect)

2012-11-21T18:21:04Z

Mhavela: This doc is confirmed to work (removing Draft notes)

== Install programs ==
{{Cmd|apk add rrdtool rrdcollect}}

== Create rrd-databases ==
As we will use rrdcollect to collect our data for us, we will create all databases that the default config for rrdcollect tries to use.
=== stat.rrd ===
<pre>
rrdtool create /var/lib/rrdtool/stat.rrd \
--step 60 \
DS:cpu_user:COUNTER:120:0:U \
DS:cpu_nice:COUNTER:120:0:U \
DS:cpu_system:COUNTER:120:0:U \
DS:cpu_idle:COUNTER:120:0:U \
DS:cpu_iowait:COUNTER:120:0:U \
DS:cpu_irq:COUNTER:120:0:U \
DS:cpu_softirq:COUNTER:120:0:U \
DS:ctxt:COUNTER:120:0:U \
DS:page_in:COUNTER:120:0:U \
DS:page_out:COUNTER:120:0:U \
DS:processes:COUNTER:120:0:U \
DS:swap_in:COUNTER:120:0:U \
DS:swap_out:COUNTER:120:0:U \
RRA:AVERAGE:0.5:1:360 \
RRA:AVERAGE:0.5:10:1008 \
RRA:MAX:0.5:10:1008
</pre>

=== memory.rrd ===
<pre>
rrdtool create /var/lib/rrdtool/memory.rrd \
--step 60 \
DS:mem_total:GAUGE:120:0:U \
DS:mem_used:GAUGE:120:0:U \
DS:mem_free:GAUGE:120:0:U \
DS:mem_shared:GAUGE:120:0:U \
DS:mem_buffers:GAUGE:120:0:U \
DS:swap_total:GAUGE:120:0:U \
DS:swap_used:GAUGE:120:0:U \
DS:swap_free:GAUGE:120:0:U \
RRA:AVERAGE:0.5:1:360 \
RRA:AVERAGE:0.5:10:1008 \
RRA:MAX:0.5:10:1008
</pre>

=== eth0.rrd ===
<pre>
rrdtool create /var/lib/rrdtool/eth0.rrd \
--step 60 \
DS:bytes_in:COUNTER:120:0:U \
DS:pkts_in:COUNTER:120:0:U \
DS:bytes_out:COUNTER:120:0:U \
DS:pkts_out:COUNTER:120:0:U \
RRA:AVERAGE:0.5:1:360 \
RRA:AVERAGE:0.5:10:1008 \
RRA:MAX:0.5:10:1008
</pre>
{{note|If you chose to change the "--step 60" ''(which specifies the base interval in seconds with which data will be fed into the RRD)'' then make sure to change the 'step' value in /etc/rrdcollect/rrdcollect.conf to reflect your changes above.}}
{{tip|In the above examples the first RRA in each .rrd is more precise (1min interval), but it holds data for shorter time. (1x360x60) equals 21600s/6h) 
The second RRA evaluates 10 min interval and holds data for longer period. (10x1008x60 equals 604800s/168h/7d)}}

== Gather information and put it in the RRD ==
{{cmd|rc-service rrdcollect start}}

== Create graphs based on the rrd's ==
In the below examples you will notice that the .png file is exported to "/var/www/localhost/htdocs/". 
You would need to either create /var/www/localhost/htdocs/ or change the path for the images.
=== Stat ===
<pre>
rrdtool graph /var/www/localhost/htdocs/stat.png --start -1800 \
-a PNG -t "Stat" --vertical-label "bits/s" \
-w 1260 -h 400 -r \
DEF:cpu_user=/var/lib/rrdtool/stat.rrd:cpu_user:AVERAGE \
DEF:cpu_nice=/var/lib/rrdtool/stat.rrd:cpu_nice:AVERAGE \
DEF:cpu_system=/var/lib/rrdtool/stat.rrd:cpu_system:AVERAGE \
DEF:cpu_idle=/var/lib/rrdtool/stat.rrd:cpu_idle:AVERAGE \
DEF:cpu_iowait=/var/lib/rrdtool/stat.rrd:cpu_iowait:AVERAGE \
DEF:cpu_irq=/var/lib/rrdtool/stat.rrd:cpu_irq:AVERAGE \
DEF:cpu_softirq=/var/lib/rrdtool/stat.rrd:cpu_softirq:AVERAGE \
DEF:ctxt=/var/lib/rrdtool/stat.rrd:ctxt:AVERAGE \
DEF:page_in=/var/lib/rrdtool/stat.rrd:page_in:AVERAGE \
DEF:page_out=/var/lib/rrdtool/stat.rrd:page_out:AVERAGE \
DEF:processes=/var/lib/rrdtool/stat.rrd:processes:AVERAGE \
DEF:swap_in=/var/lib/rrdtool/stat.rrd:swap_in:AVERAGE \
DEF:swap_out=/var/lib/rrdtool/stat.rrd:swap_out:AVERAGE \
AREA:cpu_user#D7CC00:cpu_user \
AREA:cpu_nice#D7CC00:cpu_nice \
LINE2:cpu_system#D73600:cpu_system \
LINE2:cpu_idle#D73600:cpu_idle \
LINE2:ctxt#0101D6:ctxt \
LINE2:page_in#0101D6:page_in \
LINE2:page_out#D73600:page_out \
LINE2:processes#D73600:processes \
LINE2:swap_in#D73600:swap_in \
LINE2:swap_out#D73600:swap_out
</pre>

=== Memory ===
<pre>
rrdtool graph /var/www/localhost/htdocs/memory.png --start -1800 \
-a PNG -t "Memory" --vertical-label "" \
-w 1260 -h 400 -r \
DEF:mem_total=/var/lib/rrdtool/memory.rrd:mem_total:AVERAGE \
DEF:mem_used=/var/lib/rrdtool/memory.rrd:mem_used:AVERAGE \
DEF:mem_free=/var/lib/rrdtool/memory.rrd:mem_free:AVERAGE \
DEF:mem_shared=/var/lib/rrdtool/memory.rrd:mem_shared:AVERAGE \
DEF:mem_buffers=/var/lib/rrdtool/memory.rrd:mem_buffers:AVERAGE \
DEF:swap_total=/var/lib/rrdtool/memory.rrd:swap_total:AVERAGE \
DEF:swap_used=/var/lib/rrdtool/memory.rrd:swap_used:AVERAGE \
DEF:swap_free=/var/lib/rrdtool/memory.rrd:swap_free:AVERAGE \
CDEF:mem_total_x=mem_total,1024,\* \
CDEF:mem_used_x=mem_used,1024,\* \
CDEF:mem_free_x=mem_free,1024,\* \
CDEF:mem_shared_x=mem_shared,1024,\* \
CDEF:mem_buffers_x=mem_buffers,1024,\* \
CDEF:swap_total_x=swap_total,1024,\* \
CDEF:swap_used_x=swap_used,1024,\* \
CDEF:swap_free_x=swap_free,1024,\* \
LINE1:mem_total_x#000000:mem_total \
LINE2:mem_used_x#D7CC00:mem_used \
LINE2:mem_free_x#00CC00:mem_free \
LINE2:mem_shared_x#D73600:mem_shared \
LINE2:mem_buffers_x#D73600:mem_buffers \
LINE2:swap_total_x#000000:swap_total \
LINE2:swap_used_x#0101D6:swap_used \
LINE2:swap_free_x#0101D6:swap_free
</pre>

=== eth0 ===
<pre>
rrdtool graph /var/www/localhost/htdocs/eth0.png --start -1h \
-a PNG -t "eth0" --vertical-label "bits/s" \
-w 1260 -h 400 -r \
DEF:bytes_in=/var/lib/rrdtool/eth0.rrd:bytes_in:AVERAGE \
DEF:bytes_out=/var/lib/rrdtool/eth0.rrd:bytes_out:AVERAGE \
CDEF:bits_in=bytes_in,8,\* \
CDEF:bits_out=bytes_out,-8,\* \
AREA:bits_in#339933:bits_in \
AREA:bits_out#aa3333:bits_out \
HRULE:0#000000
</pre>
<pre>
rrdtool graph /var/www/localhost/htdocs/eth0pkt.png --start -1800 \
-a PNG -t "eth0" --vertical-label "packets" \
-w 1260 -h 400 -r \
DEF:pkts_in=/var/lib/rrdtool/eth0.rrd:pkts_in:AVERAGE \
DEF:pkts_out=/var/lib/rrdtool/eth0.rrd:pkts_out:AVERAGE \
CDEF:pkts_out_negative=pkts_out,-1,\* \
LINE2:pkts_in#006600:pkts_in \
LINE2:pkts_out_negative#D73600:pkts_out \
HRULE:0#000000
</pre>

[[Category:Monitoring]]

OwnCloud

2012-11-19T12:31:26Z

Mhavela: webdav functionallity is fixed ( https://bugs.alpinelinux.org/issues/1470 ). Simplifying webserver installation notes. Clarifying hardening for config.php

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|lighttpd}} but you are free to install any other webserver of your choise as long as it supports php and FastCGI.

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== Publish owncloud ===
Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}
{{note|Each time you upgrade {{pkg|owncloud}} you need to remember to fix the permissions as described above.}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-18T20:17:00Z

Mhavela: /* Configure and use ownCloud */ webdav is broken

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.
{{Todo|There is currently a issue with using webDAV to connect to the owncloud server. Looking at ownclouds dependency app, it shows that {{pkg|php-xml}} is missing ''(which is not true)''. Most likely the Class 'DOMDocument' thats missing in {{pkg|php-xml}}. See {{issue|1470}} for more details.}}

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = ?M
post_max_size = ?M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-18T20:07:52Z

Mhavela: /* Configure and use ownCloud */ Configure php to accept bigger upload size

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = ?M
post_max_size = ?M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-18T20:01:25Z

Mhavela: Suggest using https

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-15T15:50:31Z

Mhavela: I think owncloud-mysql works now (better than the others)

{{draft}}
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-15T10:43:31Z

Mhavela: /* mysql */ Additional mysql notes

{{draft}}
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-psql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, database and set permissions.
{{cmd|# psql -U postgres
postgres{{=}}# CREATE USER owncloud WITH PASSWORD '<%STRONG_PASSWORD%>';
postgres{{=}}# CREATE DATABASE owncloud;
postgres{{=}}# GRANT ALL ON DATABASE owncloud TO owncloud;
postgres{{=}}# \q}}
{{note|The above commands creates the user 'owncloud' with a password you provide and the database 'owncloud'. Remember these settings, you will need them later when setting up owncloud}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO "mycloud"@"localhost" IDENTIFIED BY "mypassword";
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above 'mycloud' and 'mypassword' to something secure}}

{{todo|The mysql setup is not yet tested and verified. Please update/bugfix the mysql-notes above and remove this note when verified that it works.}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-15T10:33:13Z

Mhavela: /* mysql */ Configure mysql

{{draft}}
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-psql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, database and set permissions.
{{cmd|# psql -U postgres
postgres{{=}}# CREATE USER owncloud WITH PASSWORD '<%STRONG_PASSWORD%>';
postgres{{=}}# CREATE DATABASE owncloud;
postgres{{=}}# GRANT ALL ON DATABASE owncloud TO owncloud;
postgres{{=}}# \q}}
{{note|The above commands creates the user 'owncloud' with a password you provide and the database 'owncloud'. Remember these settings, you will need them later when setting up owncloud}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("config.php")
...}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2012-11-15T09:26:32Z

Mhavela: Restructuring page

{{draft}}
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)''}}
=== postgresql ===
Install the package
{{cmd|apk add owncloud-psql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, database and set permissions.
{{cmd|# psql -U postgres
postgres{{=}}# CREATE USER owncloud WITH PASSWORD '<%STRONG_PASSWORD%>';
postgres{{=}}# CREATE DATABASE owncloud;
postgres{{=}}# GRANT ALL ON DATABASE owncloud TO owncloud;
postgres{{=}}# \q}}
{{note|The above commands creates the user 'owncloud' with a password you provide and the database 'owncloud'. Remember these settings, you will need them later when setting up owncloud}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql}}

Now configure {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup}}
{{note|When you configure {{pkg|mysql}} for first time, you will see some instructions on the console. It is wise to do the actions presented on the screen to enhance security of {{pkg|mysql}} }}
Next start the database
{{cmd|/etc/init.d/mysql start}}

== Webserver ==
Next thing is to choose, install and configure a webserver. Choose one alternative from below ''(or setup a webserver of your choise)''

=== lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

=== XYZ webserver ===
You could try installing some other webserver and document it here
* Apache2
* cherokee
* other...

=== Other ===
Link owncloud installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider adding the following line for additional security to the owncloud configuration file, where the password database is stored:
{{cat|/???/???/???|...
url.access-deny {{=}} ("config.php")
...}}
{{todo|Where should this config go?}}

=== Folder permissions ===
The web server user needs to have ownership on some dirs. This is fixed by running the following commands:
{{cmd|chown -R lighttpd.lighttpd /etc/owncloud
chown -R lighttpd.lighttpd /usr/share/webapps/owncloud/apps
chown -R lighttpd.lighttpd /var/lib/owncloud/data}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

How-To Alpine Wall

2012-10-29T16:06:25Z

Mhavela: Updating path for Policy files suggesting users to save their Policy files in /etc/awall/optional so we can skip the 'lbu inc && lbu ci' part in this doc (making it simpler to understand).

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall ({{pkg|AWall}}) by examples. 
We will explain {{pkg|AWall}} from the viewpoint of a Shorewall user. 

{{pkg|AWall}} is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

Some of the below features and examples assumes that you are running {{pkg|AWall}} version 0.2.12 or later. 
Make sure you are running latest version by running the following commands:
{{cmd|apk update
apk add -u awall
apk version awall}}

== Structure ==
Your {{pkg|AWall}} firewall configuration file(s) goes to {{Path|/etc/awall/optional}} 
Each such file is called ''Policy''. 
{{note| {{pkg|AWall}} versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}. From version 0.2.12 and higher, {{pkg|AWall}} will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|{{pkg|AWall}}'s ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
An {{pkg|AWall}} ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing {{pkg|AWall}}, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after {{pkg|AWall}} installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to {{pkg|AWall}}.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure {{pkg|AWall}} to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall",

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| {{pkg|AWall}} has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}

== Logging ==
{{pkg|AWall}} will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository ({{pkg|AWall}} v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our {{pkg|AWall}} ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|{{pkg|AWall}} already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

Tmux

2012-10-24T15:08:03Z

Mhavela: /* Close or kill a session */ Bugfix on how to kill a window

{{pkg|tmux}} is a terminal multiplexer. It's a good tool for e.g. remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running session).

= Install =
In order to use {{pkg|tmux}} you will have to install it:
{{cmd|apk add tmux}}

= Usage =

== Start a new session ==
To create a {{pkg|tmux}} session you just enter:
{{cmd|tmux}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|tmux ls}}
{{tip|Above command can also be run as <code>tmux list-sessions</code>}}
You might get a list that looks like this:
<pre>
0: 1 windows (created Wed Oct 24 15:12:12 2012) [126x35]
1: 1 windows (created Wed Oct 24 15:14:44 2012) [126x35]
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>1: 1 windows</code> session).
{{cmd|tmux attach -t 1}}
{{tip|If you only have one session you don't need to specify session. Just run <code>tmux attach</code>}}

== Controlling a session ==
While inside a {{pkg|tmux}} session, you can control it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|tmux}} session, you should click {{key|B}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>C-b</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|tmux}} session, click:
{{cmd|C-b ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|C-b d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a session and then detach from the session. After some while re-connect to the session using <code>tmux attach</code>. Note that the "seq" value indicates that ping had continued running while you where detached from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|C-b &}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' your session by entering:
{{cmd|exit}}

= Other terminal multiplexers =
A similar tool is {{pkg|screen}} which is documented [[Screen_on_console|here]].

[[Category:Shell]]

Screen terminal multiplexer

2012-10-24T15:07:41Z

Mhavela: /* Close or kill a session */ Fixed typo

{{pkg|screen}} is a terminal multiplexer. It's a good tool for e.g. remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= Install =
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are already inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can control it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detach from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indicates that ping had continued running while you where detached from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' your session by entering:
{{cmd|exit}}

= Extra =
== Connect to serial console ==
{{pkg|screen}} is a good tool when you need to connect to a serial console ''(e.g. if you want to configure a switch using it's serial port)''. Connecting to a serial console could look like this:
{{cmd|screen /dev/ttyS0 9600}}

== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

= Other terminal multiplexers =
A similar tool is {{pkg|tmux}} which is documented [[Tmux_terminal_multiplexer|here]].

[[Category:Shell]]

Screen on console

2012-10-24T14:23:26Z

Mhavela: Mhavela moved page Screen on console to Screen terminal multiplexer: The previous name could be misunderstood. This new name specifies that this is a terminal multiplexer.

#REDIRECT [[Screen terminal multiplexer]]

Screen terminal multiplexer

2012-10-24T14:23:26Z

Mhavela: Mhavela moved page Screen on console to Screen terminal multiplexer: The previous name could be misunderstood. This new name specifies that this is a terminal multiplexer.

{{pkg|screen}} is a terminal multiplexer. It's a good tool for e.g. remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= Install =
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are already inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can control it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detach from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indicates that ping had continued running while you where detached from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' you session by entering:
{{cmd|exit}}

= Extra =
== Connect to serial console ==
{{pkg|screen}} is a good tool when you need to connect to a serial console ''(e.g. if you want to configure a switch using it's serial port)''. Connecting to a serial console could look like this:
{{cmd|screen /dev/ttyS0 9600}}

== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

= Other terminal multiplexers =
A similar tool is {{pkg|tmux}} which is documented [[Tmux_terminal_multiplexer|here]].

[[Category:Shell]]

Screen terminal multiplexer

2012-10-24T14:11:00Z

Mhavela: Fixed some typos and added link to tmux documentation

{{pkg|screen}} is a terminal multiplexer. It's a good tool for e.g. remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= Install =
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are already inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can control it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detach from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indicates that ping had continued running while you where detached from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' you session by entering:
{{cmd|exit}}

= Extra =
== Connect to serial console ==
{{pkg|screen}} is a good tool when you need to connect to a serial console ''(e.g. if you want to configure a switch using it's serial port)''. Connecting to a serial console could look like this:
{{cmd|screen /dev/ttyS0 9600}}

== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

= Other terminal multiplexers =
A similar tool is {{pkg|tmux}} which is documented [[Tmux_terminal_multiplexer|here]].

[[Category:Shell]]

Tmux

2012-10-24T14:04:32Z

Mhavela: tmux as a alternative to GNU Screen

{{pkg|tmux}} is a terminal multiplexer. It's a good tool for e.g. remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running session).

= Install =
In order to use {{pkg|tmux}} you will have to install it:
{{cmd|apk add tmux}}

= Usage =

== Start a new session ==
To create a {{pkg|tmux}} session you just enter:
{{cmd|tmux}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|tmux ls}}
{{tip|Above command can also be run as <code>tmux list-sessions</code>}}
You might get a list that looks like this:
<pre>
0: 1 windows (created Wed Oct 24 15:12:12 2012) [126x35]
1: 1 windows (created Wed Oct 24 15:14:44 2012) [126x35]
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>1: 1 windows</code> session).
{{cmd|tmux attach -t 1}}
{{tip|If you only have one session you don't need to specify session. Just run <code>tmux attach</code>}}

== Controlling a session ==
While inside a {{pkg|tmux}} session, you can control it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|tmux}} session, you should click {{key|B}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>C-b</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|tmux}} session, click:
{{cmd|C-b ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|C-b d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a session and then detach from the session. After some while re-connect to the session using <code>tmux attach</code>. Note that the "seq" value indicates that ping had continued running while you where detached from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|C-b k}}

You can also 'kill' your session by entering:
{{cmd|exit}}

= Other terminal multiplexers =
A similar tool is {{pkg|screen}} which is documented [[Screen_on_console|here]].

[[Category:Shell]]

Screen terminal multiplexer

2012-10-24T13:03:15Z

Mhavela: /* Extra */ Serial port using screen

{{pkg|screen}} is a good tool for remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running {{pkg|screen}} session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= Install =
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are allready inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can controll it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detatch from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indikates that ping had continued running while you where detatched from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' you session by entering:
{{cmd|exit}}

= Extra =
== Connect to serial console ==
{{pkg|screen}} is a good tool when you need to connect to a serial console ''(e.g. if you want to configure a switch using it's serial port)''. Connecting to a serial console could look like this:
{{cmd|screen /dev/ttyS0 9600}}

== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

[[Category:Shell]]

Screen terminal multiplexer

2012-10-24T10:06:24Z

Mhavela: /* General */

{{pkg|screen}} is a good tool for remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running {{pkg|screen}} session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= Install =
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are allready inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can controll it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detatch from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indikates that ping had continued running while you where detatched from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' you session by entering:
{{cmd|exit}}

= Extra =
== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

[[Category:Shell]]

Screen terminal multiplexer

2012-10-24T10:05:49Z

Mhavela: Restructuring a bit. Adding some notes and examples that indicates how screen can be used

{{pkg|screen}} is a good tool for remote support. It can also be used to start a command you want to keep running after you close your console session (you can later on attach to your running {{pkg|screen}} session). When you enter a {{pkg|screen}} session you will not notice too much. 
To know if you are inside a {{pkg|screen}} session, use the notes in '[[#Get_help|get help]]' section mentioned below.

= General =
== Install ==
In order to use {{pkg|screen}} you will have to install it:
{{cmd|apk add screen}}

= Usage =

== Start a new session ==
To enter a {{pkg|screen}} session you just enter:
{{cmd|screen}}

== List existing sessions ==
When you have started some session(s) you can list them:
{{cmd|screen -list}}
You might get a list that looks like this:
<pre>
There are screens on:
11151.pts-1.mhlab01 (Attached)
11131.pts-3.mhlab01 (Attached)
2 Sockets in /var/run/screen/S-root.
</pre>

== Attach to a existing session ==
Lets say you want to attach to a existing session (e.g. the above <code>11131.pts-3.mhlab01</code> session).
{{cmd|screen -x 11131}}
or
{{cmd|screen -x pts-3}}
{{tip|If you see <code>Attaching from inside of screen?</code>, you are allready inside a screen session.}}

== Controlling a screen session ==
While inside a {{pkg|screen}} session, you can controll it using keyboard shortcuts. We will only describe some of those alternatives.

{{tip|To enter a keyboard shortcut that controls the current {{pkg|screen}} session, you should click {{key|A}} while holding down {{key|CTRL}} In the below examples this procedure is described as <code>^A</code>}}
=== Get help ===
One of the most useful commands is the one that gives you 'help'. 
While in your {{pkg|screen}} session, click:
{{cmd|^A ?}}
''(Do not press/hold {{key|CTRL}} when clicking {{key|?}})''

=== Detach from a session ===
Sometimes it's useful to just detach from a session without killing it. 
{{cmd|^A d}}
{{tip|Try starting <code>ping 127.0.0.1</code> while inside a screen session and then detatch from the session. After some while re-connect to the session using <code>screen -x</code>. Note that the "seq" value indikates that ping had continued running while you where detatched from the session.}}

=== Close or kill a session ===
To 'kill' a session:
{{cmd|^A k}}
Confirm by clicking {{key|y}} when prompted.

You can also 'kill' you session by entering:
{{cmd|exit}}

= Extra =
== Force console users into a screen session ==
In some cases you might want to force only console users into a screen session. 
Note that the this configuration will not force SSH-users into a screen. 
Edit {{path|/etc/profile}} and add the following code to it:
<pre>
if [ -n "$PS1" ] && [ -z "$STARTED_SCREEN" ] && [ -z "$SSH_TTY" ]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
screen -RR && exit 0
echo "Screen failed! continuing with normal bash startup"
fi
</pre>

== Force console and SSH users into a screen session ==
The above example holds the if-statement:
&& [ -z "$SSH_TTY" ]
Remove this part from above configuration to force SSH sessions into a screen session. 
{{Note|Console users will also be forced into a screen session when folowing these instructions}}

[[Category:Shell]]

Alpine Linux:IRC

2012-10-24T08:59:22Z

Mhavela: /* Clients */ Added som chat client suggestions

Alpine Linux have registered the following channels on [http://freenode.net/ FreeNode]:
;[irc://irc.freenode.net/alpine-linux #alpine-linux]
: For general discussion and quick support questions.
;[irc://irc.freenode.net/alpine-devel #alpine-devel]
: For disussion of Alpine Linux development and developer support.

Please be patient when asking questions there. Might take a while for someone to answer.

If you are new to IRC and would like to try it out, you can use [http://webchat.freenode.net/ Freenode webchat]. Make sure you use one of the above channels.

== Clients ==
There are several clients available to join the IRC network. Please install one and get by.

* irssi
* weechat
* xchat
* ircii
* pidgin
* ''other...''

Alpine Linux:FAQ

2012-10-24T08:45:04Z

Mhavela: Removing obsolete packages

To get oriented and learn what makes our distribution distinctive, see the [http://alpinelinux.org/about About page] or [[Alpine Linux:Overview|our more detailed overview]].

[[Image:filetypes.svg|64px|left|link=]]
This is a list of '''frequently asked questions''' about Alpine Linux. 
If your question is not answered on this page, use the search box above to find work in progress pages not linked here, or in case of no answer, edit this page and write down your question.
{{Tip| Prepare your question. Think it through. Make it simple and understandable.}}

=General=

== I have found a bug, where can I report it? ==
You can report it on the [http://bugs.alpinelinux.org/ bugtracker].

== Are there any details about the releases available? ==
Yes, please check the [[Alpine Linux:Releases|Releases]] page.

== Alpine freezes during boot from Compact Flash, how can I fix? ==
Most Compact Flash card readers do not support proper DMA. 
You should append '''nodma''' to the ''append'' line in {{path|syslinux.cfg}}.

== How can I contribute? ==
You can contribute by:
* using the software and giving feedback
* by documenting your [http://www.alpinelinux.org Alpine Linux] experiences on this [[Main_Page|wiki]]
* in many other ways
Please visit [[Contribute|Contribute page]] to read more about this topic.

Your contributions are highly appreciated.

== How do I remove the CDROM? ==
Since the modloop loopback device is on CDROM you cannot just run ''eject''. You need to unmount the modloop first. 
Unmounting both the modloop and the cdrom in one step can be done by executing:
{{cmd|/etc/init.d/modloop stop}}

Then it's possible to eject the cdrom:
{{cmd|eject}}

== Why don't I have man pages or where is the 'man' command? ==
The {{pkg|man}} command and man pages are not installed by default.

* First, install the {{pkg|man}} package:
: {{Cmd|apk add man}}
* Once that's done, install the documentation for the packages that you require man pages for: (Keep in mind, however, it's possible that not all packages will have a corresponding documentation package.)
: {{Cmd|apk add <pkg>-doc}}
: For example, say you installed {{pkg|iptables}} and you now require its {{pkg|man}} pages:
: {{Cmd|apk add iptables-doc}}
 
In our example above, we installed the man pages (and other documentation) for iptables. We can now read it:
{{Cmd|man iptables}}

==Booting Alpine on an HP ML350 G6==
{{Note|This 'Booting Alpine on an HP ML350 G6' section, only applies to [http://www.alpinelinux.org/ Alpine Linux] 1.9.3 and earlier.}}
[http://bugs.alpinelinux.org/issues/228 Ticket 228] on [http://bugs.alpinelinux.org/ bugs.alpinelinux.org] includes a patch that disables the kernel module hpwdt by default.

Details: Kernel module for HP Watchdog Timer causes issues during boot. Solution is to create an overlay (ie {{path|hpwdt.apkovl.tar.gz}}) containing {{path|/etc/modprobe.d/hpwdt}} (which contains "blacklist hpwdt"), place that on some removable media (ie USB key) and insert that during boot process. This will insure that the offending module doesn't load and that the server will boot properly.

==My cron jobs don't run?==
The cron daemon is started automatically on system boot and executes the scripts placed in the folders under {{path|/etc/periodic}} - there's a {{path|15min}} folder, plus ones for {{path|hourly}}, {{path|daily}}, {{path|weekly}} and {{path|monthly}} scripts.

You can check whether your scripts are likely to run using the command:

: {{cmd|run-parts -t /etc/periodic/[foldername]}} - for example: ''run-parts -t /etc/periodic/15min''

This command will tell you what should run but will not actually execute the scripts.

If the results of the test are not as expected, check the following:

* Make sure the script is executable - if unsure, issue the command : {{cmd|chmod a+x [scriptname]}}
* Make sure the first line of your script is :<pre>#!/bin/sh</pre>
* Do not put file extensions on your script names - this stops them from working; for example: {{path|myscript}} will run, but {{path|myscript.sh}} won't

== What is the difference between edge and stable releases? ==
Stable releases are just what they sound like: initially a point-in-time snapshot of the package archives, but then maintained with bugfixes only in order to keep a stable environment.

[[Edge]] is more of a rolling-release, with the latest and greatest packages available in the online repositories. 
Occasionally, snapshot ISO images of the then-current state of [[edge]] are made and are available for download. 
Typically these are made when there are major kernel upgrades or package upgrades that require initramfs rebuilds.

== What kind of release of Alpine Linux are available? ==
Please check the [[Alpine_Linux:Releases|Releases]] page for more information.

=Setup=

== What is the difference between 'sys', 'data', and 'diskless' installs when running setup-alpine (or setup-disk)? ==
'''sys:''' This mode is a traditional disk install. The following partitions will be created on the disk: /boot, / (filesystem root) and swap. 
This mode may be used for development boxes, desktops, virtual servers, etc.

'''data:''' This mode uses your disk(s) for data storage, not for the operating system. The system itself will run from tmpfs (RAM).

Use this mode if you only want to use the disk(s) for a mailspool, databases, logs, etc.

'''diskless:''' No disks are to be used. [[Alpine local backup]] may still be used in this mode.

== How can I install a custom firmware in a diskless system? ==

The modules and firmware are both special images which are mounted as read-only. 
To fix this issue you can copy the firmware directory to your writeable media (cf/usb) and copy your custom firmware to it. 
After reboot Alpine should automatically use the directory on your local storage instead of the loopback device.

=Audio=

== How do I play my .ogg/.mp3 files? ==
First, the sound card should be recognized (you must have {{path|/dev/snd/*****}} files)

{{pkg|sox}}, {{pkg|mpg123}}, etc all use the oss sound driver, while Alpine uses ALSA drivers. 
So you need to load the snd-pcm-oss compatibility module. 
While you're at it, you might need {{pkg|aumix}} to turn up the sound volume
{{cmd|echo snd-pcm-oss >> /etc/modules
modprobe snd-pcm-oss
apk_add aumix sox
aumix (set volume settings)
play really_cool_song.mp3}}

= Time and timezones =

== How do I set the local timezone? ==

Starting in Alpine 2.2, setting the timezone can be done through the [[Setup-alpine|setup-alpine]] script, and no manual settings should be necessary. 
If you wish to edit the timezone after installation, run the [[Alpine_setup_scripts|setup-timezone]] script.

However, if you are using a previous version, please use the following steps:

/etc/timezone and the whole zoneinfo directory tree are not supported.
To set the timezone, set the TZ environment variable as specified in
http://www.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap08.html
or you may also create an /etc/TZ file of a single line, ending with a
newline, containing the TZ setting. For example
echo CST6CDT > /etc/TZ
''Source: http://www.uclibc.org/downloads/Glibc_vs_uClibc_Differences.txt''

For more information, see how other uClibc-based distributions do this:
* http://leaf.sourceforge.net/doc/buci-tz3.html
* http://www.sonoracomm.com/index.php?option=com_content&task=view&id=107&Itemid=32

For a more complete list of timezones, please see: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones

== OpenNTPD reports an error with "adjtime" ==
Your log contains something like:
reply from 85.214.86.126: offset 865033148.784255 delay 0.055466, next query 32s
reply from 202.150.212.24: offset 865033148.779314 delay 0.400771, next query 3s
adjusting local clock by 865033148.779835s
adjtime failed: Invalid argument

{{pkg|openntpd}} is supposed to make small adjustments in the time without causing time jumps. 
If the adjustment is too big then something is clearly wrong and ntpd gives up. (its actually adjtime(3) that has a limit on how big adjustments are allowed)

You can make ntpd set the time at startup by adding ''-s'' option to ntpd. This is done by setting '''NTPD_OPTS="-s"''' in {{path|/etc/conf.d/ntpd}}.

== Using a cron job to keep the time in sync ==
Add the following to {{path|/etc/periodic/daily}} (or use another folder under the {{path|/etc/periodic}} heirarchy if you want to run the script more/less frequently)

Example: file called {{path|do-ntp}}
<pre>
#!/bin/sh
ntpd -d -q -n -p uk.pool.ntp.org</pre>

This queries the uk time server pool - you can modify this to suit your localisation, or just use ''pool.ntp.org''. More info here: [http://www.pool.ntp.org/zone/@ http://www.pool.ntp.org/zone/@]

== Windows clients reports an error when trying to sync ==
{{pkg|openntpd}} needs to run for a while before it is satisfied it is in sync.
Until then it will set a flag "clock not synchronized" and Windows will report an error while trying to sync with your {{pkg|openntpd}} server.

Only thing to do is wait, do something else for 15-20mins and then check.

= Packages =
== Can you build an apk package for ...? ==
Yes, we probably can. 
Please create an [http://redmine.alpinelinux.org/projects/alpine/issues/new issue] in the [http://bugs.alpinelinux.org bugtracker]. Mark it as "feature" and include a short description (one-line), an url for the home page, and an url for the source package.

== How can I build my own package? ==
Please see the [[Creating an Alpine package]] page.

== WARNING: Ignoring APKINDEX.xxxx.tar.gz ==
If you get <code>WARNING: Ignoring APKINDEX.xxxx.tar.gz: No such file or directory</code> while running package related tools, check your {{path|/etc/apk/repositories}} file if an entry points to {{path|.../v2.4/testing/}}. This directory is gone.

To check the content of the repositories file
{{Cmd|cat /etc/apk/repositories}}

or
{{Cmd|setup-apkrepos}}

= Dynamic DNS =
== How do I schedule a regular dynamic DNS update? ==
You'll want to install the {{pkg|ez-ipupdate}} package:
{{cmd|apk add ez-ipupdate}}

After that, create a new file at {{path|/etc/ezipupdate.conf}} with the contents similar to:
service-type=dyndns
user=myusername:mypassword
interface=eth1
host=myhostname.dyndns.org

Make the new ip cache directory:
{{cmd|mkdir /var/cache/ez-ipupdate
lbu add /var/cache/ez-ipupdate}}

Then schedule a new cron job with this command:
{{cmd|echo >> /var/log/ez-ipupdate && /bin/date >> /var/log/ez-ipupdate && ez-ipupdate --config /etc/ez-ipupdate.conf -f -F /var/run/ez-ipupdate.pid --cache-file /var/cache/ez-ipupdate/ipcache --quiet >> /var/log/ez-ipupdate 2>&1}}

Don't forget to backup your settings!
{{cmd|lbu ci}}

Alpine Linux:FAQ

2012-10-24T08:40:12Z

Mhavela: Using macros to show/highlight what's a package,command,path or file content. Creating links to documents that describes a specific command or procedure. Additionally I added rowbreak to make the page more readable (if you ask me).

To get oriented and learn what makes our distribution distinctive, see the [http://alpinelinux.org/about About page] or [[Alpine Linux:Overview|our more detailed overview]].

[[Image:filetypes.svg|64px|left|link=]]
This is a list of '''frequently asked questions''' about Alpine Linux. 
If your question is not answered on this page, use the search box above to find work in progress pages not linked here, or in case of no answer, edit this page and write down your question.
{{Tip| Prepare your question. Think it through. Make it simple and understandable.}}

=General=

== I have found a bug, where can I report it? ==
You can report it on the [http://bugs.alpinelinux.org/ bugtracker].

== Are there any details about the releases available? ==
Yes, please check the [[Alpine Linux:Releases|Releases]] page.

== Alpine freezes during boot from Compact Flash, how can I fix? ==
Most Compact Flash card readers do not support proper DMA. 
You should append '''nodma''' to the ''append'' line in {{path|syslinux.cfg}}.

== How can I contribute? ==
You can contribute by:
* using the software and giving feedback
* by documenting your [http://www.alpinelinux.org Alpine Linux] experiences on this [[Main_Page|wiki]]
* in many other ways
Please visit [[Contribute|Contribute page]] to read more about this topic.

Your contributions are highly appreciated.

== How do I remove the CDROM? ==
Since the modloop loopback device is on CDROM you cannot just run ''eject''. You need to unmount the modloop first. 
Unmounting both the modloop and the cdrom in one step can be done by executing:
{{cmd|/etc/init.d/modloop stop}}

Then it's possible to eject the cdrom:
{{cmd|eject}}

== Why don't I have man pages or where is the 'man' command? ==
The {{pkg|man}} command and man pages are not installed by default.

* First, install the {{pkg|man}} package:
: {{Cmd|apk add man}}
* Once that's done, install the documentation for the packages that you require man pages for: (Keep in mind, however, it's possible that not all packages will have a corresponding documentation package.)
: {{Cmd|apk add <pkg>-doc}}
: For example, say you installed {{pkg|iptables}} and you now require its {{pkg|man}} pages:
: {{Cmd|apk add iptables-doc}}
 
In our example above, we installed the man pages (and other documentation) for iptables. We can now read it:
{{Cmd|man iptables}}

==Booting Alpine on an HP ML350 G6==
{{Note|This 'Booting Alpine on an HP ML350 G6' section, only applies to [http://www.alpinelinux.org/ Alpine Linux] 1.9.3 and earlier.}}
[http://bugs.alpinelinux.org/issues/228 Ticket 228] on [http://bugs.alpinelinux.org/ bugs.alpinelinux.org] includes a patch that disables the kernel module hpwdt by default.

Details: Kernel module for HP Watchdog Timer causes issues during boot. Solution is to create an overlay (ie {{path|hpwdt.apkovl.tar.gz}}) containing {{path|/etc/modprobe.d/hpwdt}} (which contains "blacklist hpwdt"), place that on some removable media (ie USB key) and insert that during boot process. This will insure that the offending module doesn't load and that the server will boot properly.

==My cron jobs don't run?==
The cron daemon is started automatically on system boot and executes the scripts placed in the folders under {{path|/etc/periodic}} - there's a {{path|15min}} folder, plus ones for {{path|hourly}}, {{path|daily}}, {{path|weekly}} and {{path|monthly}} scripts.

You can check whether your scripts are likely to run using the command:

: {{cmd|run-parts -t /etc/periodic/[foldername]}} - for example: ''run-parts -t /etc/periodic/15min''

This command will tell you what should run but will not actually execute the scripts.

If the results of the test are not as expected, check the following:

* Make sure the script is executable - if unsure, issue the command : {{cmd|chmod a+x [scriptname]}}
* Make sure the first line of your script is :<pre>#!/bin/sh</pre>
* Do not put file extensions on your script names - this stops them from working; for example: {{path|myscript}} will run, but {{path|myscript.sh}} won't

== What is the difference between edge and stable releases? ==
Stable releases are just what they sound like: initially a point-in-time snapshot of the package archives, but then maintained with bugfixes only in order to keep a stable environment.

[[Edge]] is more of a rolling-release, with the latest and greatest packages available in the online repositories. 
Occasionally, snapshot ISO images of the then-current state of [[edge]] are made and are available for download. 
Typically these are made when there are major kernel upgrades or package upgrades that require initramfs rebuilds.

== What kind of release of Alpine Linux are available? ==
Please check the [[Alpine_Linux:Releases|Releases]] page for more information.

=Setup=

== What is the difference between 'sys', 'data', and 'diskless' installs when running setup-alpine (or setup-disk)? ==
'''sys:''' This mode is a traditional disk install. The following partitions will be created on the disk: /boot, / (filesystem root) and swap. 
This mode may be used for development boxes, desktops, virtual servers, etc.

'''data:''' This mode uses your disk(s) for data storage, not for the operating system. The system itself will run from tmpfs (RAM).

Use this mode if you only want to use the disk(s) for a mailspool, databases, logs, etc.

'''diskless:''' No disks are to be used. [[Alpine local backup]] may still be used in this mode.

== How can I install a custom firmware in a diskless system? ==

The modules and firmware are both special images which are mounted as read-only. 
To fix this issue you can copy the firmware directory to your writeable media (cf/usb) and copy your custom firmware to it. 
After reboot Alpine should automatically use the directory on your local storage instead of the loopback device.

=Audio=

== How do I play my .ogg/.mp3 files? ==
First, the sound card should be recognized (you must have {{path|/dev/snd/*****}} files)

sox, mpg321, mpg123, oggplay, etc all use the oss sound driver, while Alpine uses ALSA drivers. 
So you need to load the snd-pcm-oss compatibility module. 
While you're at it, you might need {{pkg|aumix}} to turn up the sound volume
{{cmd|echo snd-pcm-oss >> /etc/modules
modprobe snd-pcm-oss
apk_add aumix sox
aumix (set volume settings)
play really_cool_song.mp3}}

= Time and timezones =

== How do I set the local timezone? ==

Starting in Alpine 2.2, setting the timezone can be done through the [[Setup-alpine|setup-alpine]] script, and no manual settings should be necessary. 
If you wish to edit the timezone after installation, run the [[Alpine_setup_scripts|setup-timezone]] script.

However, if you are using a previous version, please use the following steps:

/etc/timezone and the whole zoneinfo directory tree are not supported.
To set the timezone, set the TZ environment variable as specified in
http://www.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap08.html
or you may also create an /etc/TZ file of a single line, ending with a
newline, containing the TZ setting. For example
echo CST6CDT > /etc/TZ
''Source: http://www.uclibc.org/downloads/Glibc_vs_uClibc_Differences.txt''

For more information, see how other uClibc-based distributions do this:
* http://leaf.sourceforge.net/doc/buci-tz3.html
* http://www.sonoracomm.com/index.php?option=com_content&task=view&id=107&Itemid=32

For a more complete list of timezones, please see: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones

== OpenNTPD reports an error with "adjtime" ==
Your log contains something like:
reply from 85.214.86.126: offset 865033148.784255 delay 0.055466, next query 32s
reply from 202.150.212.24: offset 865033148.779314 delay 0.400771, next query 3s
adjusting local clock by 865033148.779835s
adjtime failed: Invalid argument

{{pkg|openntpd}} is supposed to make small adjustments in the time without causing time jumps. 
If the adjustment is too big then something is clearly wrong and ntpd gives up. (its actually adjtime(3) that has a limit on how big adjustments are allowed)

You can make ntpd set the time at startup by adding ''-s'' option to ntpd. This is done by setting '''NTPD_OPTS="-s"''' in {{path|/etc/conf.d/ntpd}}.

== Using a cron job to keep the time in sync ==
Add the following to {{path|/etc/periodic/daily}} (or use another folder under the {{path|/etc/periodic}} heirarchy if you want to run the script more/less frequently)

Example: file called {{path|do-ntp}}
<pre>
#!/bin/sh
ntpd -d -q -n -p uk.pool.ntp.org</pre>

This queries the uk time server pool - you can modify this to suit your localisation, or just use ''pool.ntp.org''. More info here: [http://www.pool.ntp.org/zone/@ http://www.pool.ntp.org/zone/@]

== Windows clients reports an error when trying to sync ==
{{pkg|openntpd}} needs to run for a while before it is satisfied it is in sync.
Until then it will set a flag "clock not synchronized" and Windows will report an error while trying to sync with your {{pkg|openntpd}} server.

Only thing to do is wait, do something else for 15-20mins and then check.

= Packages =
== Can you build an apk package for ...? ==
Yes, we probably can. 
Please create an [http://redmine.alpinelinux.org/projects/alpine/issues/new issue] in the [http://bugs.alpinelinux.org bugtracker]. Mark it as "feature" and include a short description (one-line), an url for the home page, and an url for the source package.

== How can I build my own package? ==
Please see the [[Creating an Alpine package]] page.

== WARNING: Ignoring APKINDEX.xxxx.tar.gz ==
If you get <code>WARNING: Ignoring APKINDEX.xxxx.tar.gz: No such file or directory</code> while running package related tools, check your {{path|/etc/apk/repositories}} file if an entry points to {{path|.../v2.4/testing/}}. This directory is gone.

To check the content of the repositories file
{{Cmd|cat /etc/apk/repositories}}

or
{{Cmd|setup-apkrepos}}

= Dynamic DNS =
== How do I schedule a regular dynamic DNS update? ==
You'll want to install the {{pkg|ez-ipupdate}} package:
{{cmd|apk add ez-ipupdate}}

After that, create a new file at {{path|/etc/ezipupdate.conf}} with the contents similar to:
service-type=dyndns
user=myusername:mypassword
interface=eth1
host=myhostname.dyndns.org

Make the new ip cache directory:
{{cmd|mkdir /var/cache/ez-ipupdate
lbu add /var/cache/ez-ipupdate}}

Then schedule a new cron job with this command:
{{cmd|echo >> /var/log/ez-ipupdate && /bin/date >> /var/log/ez-ipupdate && ez-ipupdate --config /etc/ez-ipupdate.conf -f -F /var/run/ez-ipupdate.pid --cache-file /var/cache/ez-ipupdate/ipcache --quiet >> /var/log/ez-ipupdate 2>&1}}

Don't forget to backup your settings!
{{cmd|lbu ci}}

How-To Alpine Wall

2012-10-23T07:21:33Z

Mhavela: /* Example firewall using AWall */ Fixed missing comma

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to {{Path|/usr/share/awall/optional}}. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/usr/share/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/usr/share/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall",

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/usr/share/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/usr/share/awall/optional/}} for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var> # This tells lbu to include that path when creating a new apkovl
lbu ci # This creates the new apkovl}}

== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

How-To Alpine Wall

2012-10-22T13:38:17Z

Mhavela: /* Example firewall using AWall */ You need to enter 'MASQUERADE' instead of 'masquerade' (this is what 'iptables' was complaining about)

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to {{Path|/usr/share/awall/optional}}. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/usr/share/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/usr/share/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall"

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet", "action": "MASQUERADE" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/usr/share/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/usr/share/awall/optional/}} for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var> # This tells lbu to include that path when creating a new apkovl
lbu ci # This creates the new apkovl}}

== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

Template:Pkg

2012-10-15T14:49:49Z

Mhavela: Trying to bugfix firefox, chrome and some other browsers displaying monospace chars too small

<noinclude>{{Template}}
An inline link to search for the given package in the Package Browser.

=== Usage ===
<pre>{{Pkg|package}}</pre>



Special characters in the package name are automatically encoded in the URL.

=== Example ===
<pre>{{Pkg|gtk+2.0}}</pre>
will produce:
{{Pkg|gtk+2.0}}

</noinclude><includeonly>[http://alpinelinux.org/apk/main/x86/{{urlencode:{{{1}}}}} {{{1}}}]</includeonly>

Stream a DV-camera using vlc

2012-10-15T14:46:31Z

Mhavela: /* Install programs */ Note that you must install vlc-qt to get the graphical part of 'vlc'

{{draft}}
In this howto we are going to stream the video coming from a DV-camera connected through ie1394 (firewire). 
vlc is used to stream the content. 
We will be using h264 and AAC to transcode the stream ''(should be fairly easy to change to whatever suits your needs)''.

= Setup Alpine =
== Initial Setup ==
Follow [[Installing_Alpine]] to setup Alpine Linux.

== Install programs ==
{{Cmd| apk add vlc-daemon vlc-dev }}
{{note|If you intend to use a desktop environment with vlc you will need to install {{pkg|vlc-qt}} in order to get that working. {{pkg|vlc-dev}} or {{pkg|vlc}} package does not contain the graphical part of vlc ''(menus etc.)''.}}
{{todo| I haven't figured out why vlc-dev is needed. Manually adding all vlc-dev dependencies does not work. 
The 'require vlc-dev' thing is reported at http://bugs.alpinelinux.org/issues/1051 and might be solved soon ''(or 'vlc-dev' really is needed as a dependency)''.}}

== Using ACF to control vlc ==
{{tip|A easy way to control vlc-daemon would be through [[ACF]]. Consider following these simple steps. 
But as it is ''optional'' you could just skip this [[ACF]] section.}}
Setup/install acf ''(unless it's not already done)''.
{{cmd| setup-acf}}
Install acf-package for vlc
{{cmd| apk add acf-vlc-daemon}}
We won't describe in this tutorial how you would use [[ACF]] to control vlc-daemon ''(basically because it's so simple it does not need any describing)''. 
If you installed [[ACF]], just browse https://ip.of.your.box and you would from this tutorial understand what to do. 

= Configure vlc =
Configuration is done by modifying '/etc/conf.d/vlc'. 
Here comes the actual configuration that makes vlc stream the DV-camera.
<pre>
###############
BITRATE=500
XRES=720
YRES=576

###############
# Chose one of the following 'preset' values depending on how fast your CPU is:
# ultrafast,superfast,veryfast,faster,fast,medium,slow,slower,veryslow,placebo
TVIDEO="venc=x264{preset=ultrafast,vbv-maxrate=${BITRATE},vbv-bufsize=256,keyint=250,min-keyint=25},vcodec=h264,vb=${BITRATE},scale=1,width=${XRES},height=${YRES}"
TAUDIO="acodec=mp4a,ab=96,channels=2,samplerate=44100"
TMISC="deinterlace,audio-sync"

###############
TRANSPORT="std{access=http,mux=ts,dst=:8080}"

VLC_OPTS="--daemon -I dummy dv:///dev/fw0 --rawdv-hurry-up --sout-keep --sout-transcode-audio-sync \
--file-logging --logfile /var/log/vlc/vlc.log \
--sout #transcode{$TVIDEO,$TAUDIO,$TMISC}:$TRANSPORT"
</pre>

= Start it up =
== Prepare the hardware ==
Here comes the hardest part in this tutorial... Attach the DV-camera to your ie1394/firewire port. 
Well... that wasn't too hard! :-)

== Manual start ==
Start vlc-daemon either from terminal:
{{cmd|/etc/init.d/vlc start}}
or using ACF and just klick [Start].

== Make it start at next reboot ==
You might want to make it automatically start at next reboot
{{cmd|rc-update add vlc-daemon default}}

== Debug ==
In case something goes wrong, consider looking at the logfiles.
{{cmd|less -I /var/log/vlc/vlc.log}}
If you don't find any useful information you could add verbosity by adding '-v' or '-vv' to /etc/conf.d/vlc and restart vlc ''(you would need to restart vlc-daemon to see more information in the logs)''.

[[Category:Multimedia]]

Template:Path

2012-10-12T16:51:37Z

Mhavela: Bugfix causing font's to be displayed too small in some browsers

<noinclude>{{Template}}
Formats pathnames.

====Example====

<pre>{{Path|/etc/network/interfaces}}</pre>

will produce:
{{Path|/etc/network/interfaces}}

</noinclude><includeonly>{{{1}}}</includeonly>

Template:Path

2012-10-12T16:50:38Z

Mhavela: Reverted edits by Mhavela (talk) to last revision by Dubiousjim

<noinclude>{{Template}}
Formats pathnames.

====Example====

<pre>{{Path|/etc/network/interfaces}}</pre>

will produce:
{{Path|/etc/network/interfaces}}

</noinclude><includeonly>{{{1}}}</includeonly>

Template:Path

2012-10-12T16:49:46Z

Mhavela: Modifying font-size

<noinclude>{{Template}}
Formats pathnames.

====Example====

<pre>{{Path|/etc/network/interfaces}}</pre>

will produce:
{{Path|/etc/network/interfaces}}

</noinclude><includeonly>{{{1}}}</includeonly>

Template:Path

2012-10-12T16:49:21Z

Mhavela: Bugfix causing font's to be displayed too small in some browsers

How-To Alpine Wall

2012-10-12T16:47:03Z

Mhavela: Using the 'Path' template to display file/folder paths (didn't know there existed a 'Path' template)

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to {{Path|/usr/share/awall/optional}}. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/usr/share/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/usr/share/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall"

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet", "action": "masquerade" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}
{{Todo|There is something wrong with awall/iptables/other, when using the ''snat'' section (due to the "masquerade"). 
This needs some research and/or modify this wiki doc.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/usr/share/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/usr/share/awall/optional/}} for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var> # This tells lbu to include that path when creating a new apkovl
lbu ci # This creates the new apkovl}}

== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

How-To Alpine Wall

2012-10-12T15:44:26Z

Mhavela: Something wrong with snat/masquerade - needs fixing

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to <code>/usr/share/awall/optional</code>. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls <code>/etc/shorewall/policy</code> file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like <code>/etc/shorewall/params</code>)''
* zones ''(like <code>/etc/shorewall/zones</code>)''
* interfaces ''(like <code>/etc/shorewall/interfaces</code>)''
* policies ''(like <code>/etc/shorewall/policy</code>)''
* filters and NAT rules ''(like <code>/etc/shorewall/rules</code>)''
* services ''(like <code>/usr/share/shorewall/macro.HTTP</code>)''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called <code>/usr/share/awall/optional/test-policy.json</code> and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in <code>/usr/share/awall/optional/</code> and name it <code>???'''.json'''</code>)}}
<pre>
{
"description": "Home firewall"

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet", "action": "masquerade" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}
{{Todo|There is something wrong with awall/iptables/other, when using the ''snat'' section (due to the "masquerade"). 
This needs some research and/or modify this wiki doc.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your <code>/usr/share/awall/optional/test-policy.json</code> with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in <code>/usr/share/awall/optional/</code> for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use ''"action": "logdrop"'' in order to log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>

{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your <code>/etc/shorewall/rules</code>:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see <code>/usr/share/awall/mandatory/services.json</code>)''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from <code>/usr/share/awall/mandatory/services.json</code>}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var> # This tells lbu to include that path when creating a new apkovl
lbu ci # This creates the new apkovl}}

== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

How-To Alpine Wall

2012-10-12T14:17:09Z

Mhavela: Help/Debuggin notes. lbu inc when running from CD/USB/etc.

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to <code>/usr/share/awall/optional</code>. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls <code>/etc/shorewall/policy</code> file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like <code>/etc/shorewall/params</code>)''
* zones ''(like <code>/etc/shorewall/zones</code>)''
* interfaces ''(like <code>/etc/shorewall/interfaces</code>)''
* policies ''(like <code>/etc/shorewall/policy</code>)''
* filters and NAT rules ''(like <code>/etc/shorewall/rules</code>)''
* services ''(like <code>/usr/share/shorewall/macro.HTTP</code>)''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called <code>/usr/share/awall/optional/test-policy.json</code> and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in <code>/usr/share/awall/optional/</code> and name it <code>???'''.json'''</code>)}}
<pre>
{
"description": "Home firewall"

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet", "action": "masquerade" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your <code>/usr/share/awall/optional/test-policy.json</code> with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in <code>/usr/share/awall/optional/</code> for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use ''"action": "logdrop"'' in order to log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>

{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your <code>/etc/shorewall/rules</code>:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see <code>/usr/share/awall/mandatory/services.json</code>)''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from <code>/usr/share/awall/mandatory/services.json</code>}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var> # This tells lbu to include that path when creating a new apkovl
lbu ci # This creates the new apkovl}}

== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

How-To Alpine Wall

2012-10-12T13:30:13Z

Mhavela: Marking files and folders with '<code>'

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. 
We will explain AWall from the viewpoint of a Shorewall user. 

AWall is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

== Structure ==
Your AWall firewall configuration file(s) goes to <code>/usr/share/awall/optional</code>. 
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
Each such file is called ''Policy''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls <code>/etc/shorewall/policy</code> file.}}

An AWall ''Policy'' can contain definitions of:
* variables ''(like <code>/etc/shorewall/params</code>)''
* zones ''(like <code>/etc/shorewall/zones</code>)''
* interfaces ''(like <code>/etc/shorewall/interfaces</code>)''
* policies ''(like <code>/etc/shorewall/policy</code>)''
* filters and NAT rules ''(like <code>/etc/shorewall/rules</code>)''
* services ''(like <code>/usr/share/shorewall/macro.HTTP</code>)''

== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called <code>/usr/share/awall/optional/test-policy.json</code> and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in <code>/usr/share/awall/optional/</code> and name it <code>???'''.json'''</code>)}}
<pre>
{
"description": "Home firewall"

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet", "action": "masquerade" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your <code>/usr/share/awall/optional/test-policy.json</code> with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in <code>/usr/share/awall/optional/</code> for testing some of the below examples}}

== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets. If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use ''"action": "logdrop"'' in order to log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>

{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your <code>/etc/shorewall/rules</code>:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see <code>/usr/share/awall/mandatory/services.json</code>)''}}

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from <code>/usr/share/awall/mandatory/services.json</code>}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

[[Category:Networking]]
[[Category:Security]]

Template:Cmd

2012-10-12T13:15:50Z

Mhavela: Decreasing size (leaving 'font-family' objects

<noinclude>{{Template}}
== Template Documentation ==
This template should be used for commands 
Example:
<nowiki>{{Cmd|apk add <var>package</var>}}</nowiki>

Will produce:
{{Cmd|apk add <var>package</var>}}



</noinclude><includeonly>{{{1}}}</includeonly>