RAD GNU/Linux Configuration Handbook


Table of Contents

RAD GNU/Linux Configuration Handbook
License
Thanks
Introduction
Configuration syntax -- sections and directives
Comments in the configuration
Section definitions
access-list {name}
global
interface ... -- common interface directives
interface bridge {number}
interface ethernet {number}
interface loopback
interface tunnel {number}
ip access-list {name} (deprecated)
ip pool {name} (deprecated)
ip route
ip shaper {interface_name}
resource-list {name}
shaper rule {name}
service ... -- common service directives
service httpd
service dhcp [name]
service netflow
service ntp
service pppoe [name]
service pppoe-client [name]
service pptp [name]
service pptp-client [name]
service syslog
virtual {name}
vlan {interface.vlan}
GNU Free Documentation License

RAD GNU/Linux Configuration Handbook

License

Copyright (c) 2004-2005 RAD GNU/Linux project, Peter V. Saveliev.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License", and also can be found on the project homepage [1] and on the GNU site [2].

Thanks

Author acknowledges these people:

  • Adam Peterson (at0m) -- documentation proofreading (until 0.2.1)
  • Lidia V. Starostina -- documentation proofreading

And all the people from the RAD GNU/Linux maillists for their significant help in testing. Thank you.

Introduction

Configuration syntax -- sections and directives

RAD GNU/Linux has one system-wide configuration, in which the syntax is very simple. Configuration is divided into sections; each section starts with a section definition and contains configuration directives, one per line. Configuration file must start with line ! rt-network .*, where .* means any number of any symbols.

Section definitions start from the beginning of a line. Configuration directives start with one or more blank symbols, white space or tabulation. All directives between two section definitions belong to the first one.

Comments in the configuration

There can be comments in the configuration. Comments can be used to divide one section from another, to accent configuration structure, or to describe some directives more clearly.

Comments start with # or ! symbols. String after # or ! is to be considered as a comment and will be ignored while system configuration [3].

Section definitions

All definitions are given in alphabetical order grouped in a tree-like structure. To exclude all misunderstandings, there are examples after almost each section. All variable parts of definitions or directives are in {curly brackets}. All optional parameters are in [square brackets].

There can be unique and array directives. E.g., there can be only one hostname on a machine, so, the hostname directive must be unique. Oppositely, there can be many addresses on one interface. That's an example of array directive. Such directives are marked with (a).

Obviously, this document can not cover all related documents such as man pages. References to the man pages are emphasized and provided with the man section number. For instance, ip(8) refers to the ip man page in the eigth man section. Such man page can be viewed with man 8 ip command. If you have no GNU/Linux system to see the appropriate man page, you can find it in Internet.

access-list {name}

Define an access-list template. Access-lists are used to restrict access from or to IP addresses, or to setup SNAT or DNAT. All access-lists on the box are frequently named as firewall or brandmauer. By default, there're no access-lists defined.

Any access-list directive consists of the target and the packet specification, or spec. The packet matches spec will be processed pursuant to the target.

targets

Possible targets are:

accept {spec}

Accept packets.

dnat {spec}

Setup DNAT. DNAT stands for Destination Network Address Translation. It can be used to forward the addressed to the RAD GNU/Linux box packets to another machine. The corresponding spec has to contain "todst" rule.

drop {spec}

Drop packets, as if there wasn't such packets at all.

masquerade {spec}

Like SNAT (see below) but don't need "tosrc" option. Has to be used on dynamic connections like PPP.

redirect {spec}

Redirect packets to a local port. An applicaple spec must include "toprt" rule.

reject {spec}

Reject packets and send to a transmitter the ICMP "administratively prohibited" packets. It is a good idea to designate your firewall's restrictions unless you're aware of the DoS attacks.

set {spec}

Set fwmark on the specified packets. It can be used in conjunction with shaper rules, for instance, to shape the traffic, which has been marked on the internal interface, on the external one.

snat {spec}

Setup SNAT. SNAT is Source Network Address Translation. It is used to give access to external networks from internal ones. Frequently used to setup gateway from office network to Internet. The corresponding spec has to contain "tosrc" rule.

specs

After a target, there must be a rule specification. It can be built with:

any

Special value, means that any packets must be matched.

fwmark {number}

Set fwmark to {number}.

dport {port}

Destination port. Can be used only after protocol is specified.

dst {ipaddr[/mask]}

Destination IP address.

proto {name}

Protocol definition. It can be one of tcp, udp, icmp or all, or can be numeric value, representing the protocol number.

sport {port}

Source port. It can be used only after protocol is specified.

src {ipaddr[/mask]}

Source IP address.

state {state}

Match packets in {state}, where {state} can be one or more words, separated with commas. Possible states are new, establihed, related or invalid.

tosrc {ipaddr}

SNAT outcoming connections to specified IP address. It can be used only in "snat" rules.

todst {ipaddr:port}

It can be used only in "dnat" rules. DNAT incoming connections to specified IP address and port. Port can be given only when protocol is selected.

Example 1. access-lists: usage in a shaper rule

!
ip access-list test
	! drop SMB connections
	drop proto tcp dport 445
	drop proto tcp dport 135
	! reject any other packet
	reject any
!
shaper rule test
	address 192.168.0.0/24
	access-list test in
	bound 128Kbit
!
ip shaper ethernet 0
	shaper rule test
!
					

Example 2. access-lists: SNAT

!
interface ethernet 0
	address 81.9.1.2/24
	address 81.9.1.3/24
	access-list masquerade out
	access-list ugly in priority 100
!
ip access-list masquerade
	! Masquerade one network with 81.9.1.2 and
	! another with 81.9.1.3:
	snat src 192.168.0.0/24 tosrc 81.9.1.2
	snat src 10.0.0.0/24 tosrc 81.9.1.3
!
ip access-list ugly
	! deny incoming icmp (this is VERY bad idea, do NOT
	! follow this ugly example!
	drop proto icmp
!
					

Example 3. access-lists: shaping fwmark'ed packets

!
interface ethernet 0
	address 81.9.91.2/30
!
interface ethernet 1
	address 10.0.0.2/24
	address 192.168.0.2/24
	! mark all packets, incoming from 10.0.0.0/24
	access-list test in
!
ip access-list test
	set fwmark 1 src 10.0.0.0/24
!
shaper rule test
	match fwmark 1
	bound 32Kbit
!
ip shaper ethernet 0
	! shape outbound traffic
	shaper rule test
!
					

global

Global system settings, such as nameservers, IP forwarding etc.

access-list {name} in|out|forward [priority {number}] (a)

Use access-list {name} for the whole system, on all interfaces. If an access-list is used to handle forwarded packets, it will be applied to all directions.

address {ipaddr} {hostname} (a)

Static IP-address mappings. It is useful to enter mapping at least for host's own name, see example below. PPPoE service will work only when such mapping for the hostname is present.

hostname {name}

Set a hostname. A hostname is important when running PPPoE service.

nameserver {name} (a)

Add a nameserver to the list. There should be at least one nameserver to use names instead of IP-addresses in the command prompt.

enable|disable {value} (a)

Possible values are:

vlan

VLAN support, is disabled by default. Has to be enabled to work with trunk channels from network devices like Cisco (tm).

ip_forward

IP forwarding, default state relies upon kernel configuration, frequently disabled. If you plan to use RAD GNU/Linux as a network gateway, you have to enable this option.

Example 4. global

!
global
	hostname radlinux
	address 192.168.0.2 radlinux ! host's IP
	address 192.168.0.1 gateway  ! another IP mapping sample
	nameserver 217.170.64.5
	nameserver 217.170.67.5
	enable vlan
	enable ip_forward
!
					

interface ... -- common interface directives

This section contains directives that can be set on any interface.

access-list {name} in|out|forward [priority {number}] (a)

Use access-list {name} on the interface. Access-lists act like templates, so, by using one, restricting access to the port 23, you restrict it only on this interface. If an access-list is used to handle forwarded packets, it will be applied only to packets incoming on this interface.

Priority can be given to adjust firewall building and to use one template before another. Default priority is 10. The range of priority values is shared between all access-list directives in all sections.

address {ipaddr[/mask]} [label {name}] (a)

Configure address on a interface, in the following form: ip[/mask] [label name]. {label} parameter is optional, {mask} is /32 by default.

arp on|off

Turn ARP on the interface on or off.

dynamic on|off

Set the dynamic flag.

enable|disable {value}(a)

There can be the following values:

dhcp. Set the the dynamic IP configuration on the interface. Disabled by default. You can enable this option, if there is a DHCP-server in your network and you don't want a static IP on the RAD GNU/Linux box. Pre-set RAD GNU/Linux' configuration defines up to four ethernet adapters with DHCP enabled. It is done to ease default network access and help you set up router.

masquerade. Deprecated and can not work in some builds. Set the masquerade. Disabled by default. It is a shortcut to setup SNAT on the interface.

mtu {number}

Set maximum transfer unit (MTU) parameter.

multicast on|off

Set multicast flag.

txqueuelen {number}

Set transmit queue length.

interface bridge {number}

A virtual interface, may be configured on the top of any other interface(s). The primary goal is to make ethernet level bridge between two or more interfaces.

interface {name} (a)

Add an interface to the bridge.

option {spec} (a)

Set the bridge's option. For details, see brctl(8). The installed bridge parameters can be reviewed with show bridge info or show bridge stp commands.

setageing {time}

Set lladdr ageing time on the bridge, in seconds.

setbridgeprio {priority}

Set the bridge's priority. The priority parameter is a 16-bit number, between 0 and 65535. A bridge with the lower priority will be the root in a STP tree. STP has to be enabled for this option could have any effect.

setfd {time}

Set the bridge's "forward delay" timer, in seconds. STP has to be enabled.

setgcint {time}

Set the "garbage collection" interval on the bridge, in seconds.

sethello {time}

Set "hello time", in seconds. STP has to be enabled.

setmaxage {time}

Set "maximum message age" time, in seconds. STP has to be enabled.

setpathcost {port} {cost}

Set a path's {cost} on a {port}. STP has to be enabled.

setportprio {port} {priority}

Set {priority} on the {port}. Priority is a 8-bit number, between 0 and 255. STP has to be enabled.

stp on|off

Turn STP on the bridge "on" or "off". STP can be enabled or disabled only on the whole bridge, not on a particular port. A bridge with STP turned off will forward incoming STP packets, not drop.

Example 5. interface bridge

!
interface bridge 0
	interface ethernet 0
	interface ethernet 1
	address 192.168.0.1/24
	option stp on
!
					

interface ethernet {number}

Real ethernet NIC section. RAD GNU/Linux authodetects PCI ethernet adapters and sets names automatically. If you want to override this behavior, you can set interface names by it's MAC address, see "mac" directive.

autoneg on|off

Set autonegotiation flag on|off, it may be needed to turn off for some buggy devices, or when a NIC is connected to such buggy device. When autonegotiation is off, one needs to set duplex and speed manually.

duplex full|half

Set duplex full or half, this may not work with some cards.

mac {lladdr}

Bind interface configuration to this MAC address, so it will cause the system to name the interface with this MAC as ethX. Note, the directive is not to set the MAC on interface, but to name interface by MAC.

port {port}

Set the device port to tp|aui|bnc|mii, see Linux kernel documentation for details.

speed 10|100|1000

Set speed to 10|100|1000 Mbit/s. It is necessary when autonegotiation is off, or when it doesn't work properly.

Example 6. interface ethernet

!
interface ethernet 0
	address 192.168.0.1/24
	address 192.168.0.2/24
	speed 100
	duplex full
!
					

interface loopback

Configure the virtual loopback interface. This section may contain only common interface directives, such as address, mtu, etc. System can have only one loopback interface.

Example 7. interface loopback

!
interface loopback
	address 127.0.0.1/8
!
			

interface tunnel {number}

Tunnel virtual interface, may exist only if the target host (see below) is reachable, because tunnels work over existing connections. This section is under heavy development, so, if you want real tunnels, see "service pptp" and "service pptp-client" sections.

mode {mode}

Set a tunnel operating mode, now only GRE is supported.

local {ipaddr}

The local address to build a tunnel on.

remote {ipaddr}

Remote address to connect to.

target {ipaddr}

Target tunnel interface address.

ttl {number}

Time-to-live parameter.

Example 8. interface tunnel: mode GRE

!
interface tunnel 0
	mode gre
	address 192.168.213.1 # local tnlX address
	target 192.168.213.2 # remote tnlX address
	local 10.0.0.2 # local ethX address to build tunnel on
	remote 10.0.0.3 # remote address to connect
!
			

ip access-list {name} (deprecated)

Deprecated, see the "access-list" section.

ip pool {name} (deprecated)

Deprecated, see the "service dhcp" section.

ip route

Static route specification.

route {spec} (a)

Route directive as it is specified by iproute2 ip(8) command.

Example 9. ip route

!
ip route
	route 10.0.0.0/24 via 10.0.0.1 dev eth0 onlink
	route 192.168.0.0/24 via 192.168.0.1
	route default via 192.168.1.1 protocol static
!
					

ip shaper {interface_name}

Traffic shaper definition for a desired interface.

bandwidth {spec}

The parameter defines a real interface bandwidth, it is necessary only for CBQ shapers to work. It must be specified in Kbit or Mbit. There is no need in such parameter in the case of HTB.

mode cbq|htb

Set shaper to be CBQ (Classful Based Queue) or HTB (Hierarchical Token Bucket). It seems that HTB works more properly than CBQ. Because of this, HTB is set as the default mode.

refresh every {X} minutes

Reload shaper rules every {X} minutes. It is useful when there's a host that loads rules from a database and shares rule files over HTTP or FTP.

restricted {spec}

Setup shaped interface to reject packets from or to IP unlisted in rules. Parameter can be one of type input, forward or output. If the input is restricted, then unwanted packets will be discarded as soon as they reach the interface. If forward is set, then only forwarding of such packets will be restricted, while the router itself will be reachable from the whole subnet on the shaped interface. If output is set, then sending packets to unlisted IP will be suppressed at the output stage.

shaper rule {spec} (a)

Attach named rule(s) to the shaper.

shaper file {URL} (a)

Use rule(s) defined in file located at {URL}. Take notice, rules with the same ID's must have the same bound, it is for bounding several hosts with one rule.

Example 10. ip shaper

!
ip shaper ethernet 0
	restricted input
	refresh every 5 minutes
	shaper rule office
	shaper file http://user:[email protected]/rules/eth0.csv
!
ip shaper ethernet 1
	bandwidth 100Mbit
	mode cbq
	shaper rule room0
	shaper rule room1
!
					

Example 11. shaper file

DL1 128Kbit src 192.168.0.2 lladdr 00:01:02:03:04:05
DL1 128Kbit src 192.168.0.3 lladdr 00:01:02:03:04:06
DL2 10Mbit  src 192.168.0.4 lladdr 00:01:02:03:04:07
DL3 100Mbit src 192.168.0.5 lladdr 00:01:02:03:04:08
					

resource-list {name}

Define system limits that can be applied to a service. Since RAD GNU/Linux 0.2.1, all services are executed in separated contexts. Each context can have cpu, memory and other limits.

address {ipaddr[/mask]} (a)

Bind the context to a given address(es). Other ip addresses will not be visible for the context. If no addresses to bind to are given, the context will see all system ip addresses.

limit {name} {value} [{name} {value} ...] (a)

Set limit. Possible limits are (like ulimit(1), but context-wide):

core

The maximum size of core files created (Kb).

data

The maximum size of a context's data segment (Kb).

files

The maximum number of open file descriptors.

fsize

The maximum size of files created by the context (Kb).

memlock

The maximum size that may be locked in memory (Kb).

nproc

The maximum number of processes available to the context.

rss

The maximum resident set size (Kb).

stack

The maximum stack size for the context (Kb).

scheduler {type} {load%}

Set token bucket scheduler for the context. {Type} can be one of prio or hard. Prio scheduler only sets priority; hard locks the context that it cannot outreach limit. {Load} must be given in percents.

Example 12. resource-list

!
resource-list test
	address 10.0.0.2/24
	scheduler hard 30%
	limit nproc 16 files 8
	limit data 4096
	limit rss 1024
!
service http
	resource-list test
	...
!
					

shaper rule {name}

Define shaper rule. One shaper rule can be used in several ip shaper sections.

access-list {name} in|out|forward [priority {number}] (a)

Use access-list {name} for the shaper rule definitions. More about this directive see in the "interface" and "access-list" sections.

match {spec} (a)

Match specified packets, where {spec} must consist of:

fwmark {number}

Fwmark {number} which is set by access-list.

dport {port}

Destination port.

dst {ipaddr[/mask]}

Destination IP address.

lladdr {lladdr}

Install persistent {lladdr} <-> {ipaddr} mapping to be sure, that the traffic goes from the certain machine in the network. Installed mappings can be reviewed with show arp cache command. Note, that {lladdr} can be forged by client, so, more reliable solution is PPPoE (see below).

proto {name}

Protocol definition. It can be one of tcp, udp, icmp, or can be numeric value, representing protocol number.

sport {port}

Source port.

src {ipaddr[/mask]}

Source IP address.

bound {speed}

Bound rule with the desired speed. Speed spec must have suffix Kbit or Mbit.

Example 13. shaper rule

!
shaper rule office
	match src 192.168.0.2 lladdr 00:01:02:03:04:05
	match src 192.168.0.3 lladdr 00:01:02:03:04:06
	match src 192.168.0.4 lladdr 00:01:02:03:04:07
	bound 10mbit
!
shaper rule designers
	match src 192.168.1.0/24
	bound 64kbit
!
ip shaper ethernet 0
	restricted forward
	shaper rule office
	shaper rule designers
	...
!
					

service ... -- common service directives

May be specified in any service statement.

disable service

This option completely disables the service, if it is more reasonable than comment the section out.

service httpd

Lightweight http server to access the system monitoring and some administrative functions.

allow {ipaddr[/mask]} (a)

Allow connections from an ipaddr[/mask], where the mask has to be in form of X.X.X.X. Access is denied by default.

port {number}

Define the tcp port to listen on.

realm {name} {username:password}

Use a realm named as {name} and credentials {username:password} to grant access to /cgi-bin directory.

Example 14. service httpd

!
service httpd
        port 80
        realm basic root:not_root
        allow 127.0.0.1
        allow 192.168.0.0/255.255.0.0
!
					

service dhcp [name]

Define DHCP pool. Such pools are used to serve local networks and setup IP addresses on a client's machine automatically. There can be more than one pool per interface, and a pool can be bound to several interfaces.

address {ipaddr} {lladdr} (a)

Static DHCP lease. IP and MAC addresses are required. MAC address will be used not only to lease IP, but also to restrict access for the IP only from the selected MAC. Such IP-MAC pairs can be listed with "show arp cache" command in the shell.

interface {name} (a)

An interface to bind ip pool to. There can be several interfaces per pool, and several pools per interface.

option {spec} (a)

Add DHCP option to the reply. Currently only the following options are supported:

option subnet	 - netmask to offer, in X.X.X.X format
option router	 - default router
option dns	 - name server, in format X.X.X.X[ X.X.X.X[...]]
option domain	 - domain
option ipttl	 - Time-to-live
option mtu	 - MTU
option broadcast - broadcast address for the net
option wins	 - wins server
option ntpsrv	 - NTP server
option tftp	 - TFTP server
option bootfile	 - file name to get from TFTP
				

range {start_ipaddr} {end_ipaddr}

Dynamic IP lease pool definition. If you don't care wich IP will use each machine, you can setup dynamic IP pool.

refresh every {X} minutes

Refresh the static leases table every {X} minutes. It can be used in conjunction with a remote leases table, that resides on HTTP or FTP server, see below.

use file {URL} (a)

Use a file from {URL} as a static lease table.

Example 15. service dhcp

!
service dhcp test
	! dynamic pool:
	range 10.0.0.3 10.0.0.30
	! two static leases:
	address 10.0.0.31 00:0a:e4:4d:d7:6d
	address 10.0.0.32 00:0a:e4:4d:d7:6e
	! also use static leases tables from these server:
	use file http://user:[email protected]/dhcp.pool.1
	use file http://user:[email protected]/dhcp.pool.2
	! other options:
	interface ethernet 0
	option subnet 255.255.255.0
	option dns 10.0.0.1 10.0.0.2
	option domain test
!
			

Example 16. lease file

10.0.0.31 00:0a:e4:4d:d7:6d
10.0.0.32 00:0a:e4:4d:d7:6e
			

service netflow

IP accounting service.

aggregate {ipaddr/mask} strip {bytes} (a)

Strip {bytes} from {ipaddr/mask} aggregate, so rule aggregate 192.168.0.0/16 strip 32 will mean "do not aggregate 192.168.0.0/16"

aggregate {port_range} into {port} (a)

Aggregate desired port range into one port.

export destination {ipaddr} {port}

Required parameter to completely enable the service. Exports netflow accounting to a specified IP address.

interface {name} (a)

An interface to gather statistics on.

Example 17. service netflow

!
service netflow
        interface eth0
        export destination 127.0.0.1 9996
        memory-limit 10m
        aggregate 192.168.0.0/16 strip 32 # do NOT aggregate 192.168.0.0/16
        aggregate 0.0.0.0/0 strip 24      # drop the last octet of all other IPs
        aggregate 3128-3128 into 3128
        aggregate 1024-65535 into 65535
        aggregate 150-1023 into 1023

!
			

service ntp

Network time protocol service.

peer (a)

A peer to synchronize system clock with.

allow {ipaddr} [mask {netmask}] [flag[,flag[,...]]] (a)

By default, all external access to the server is denied. With this option one can allow a host or a network to access to the server with specified flags. The mask has to be given in the X.X.X.X form, e.g. 255.255.255.0. Possible flags are ignore, notrust, nomodify.

Example 18. service ntp

!
service ntp
	peer 195.2.64.5
	!
	! read-only access for 192.168.0.0/16:
	allow 192.168.0.0 mask 255.255.0.0 notrust,nomodify
!
			

service pppoe [name]

xDSL access server. PPPoE stands for Point-to-Point Protocol over Ethernet. It can be used to grant authorized access to the gateway. There can be multiple PPPoE services on one interface, and each service can be bound to several interfaces.

access-list {name}

Use access-list {name} to firewall each user session. Take notice that the firewall setup slows down user's login and packet processing, especially if there are hundreds of sessions. It can be more suitable to set up firewall in the "global" section.

announce {name}

Use {name} to announce service.

clamp-mss {MSS}

Clamp incoming and outcoming TCP MSS values to the specified value in bytes.

enable|disable {value}

Enable or disable one of the following values:

radius

RADIUS AAA. When disabled, local user authentication will be used. If enabled, one has to define RADIUS servers and a key (or keys) (see below). The default value is to disable RADIUS and use local authentication.

rt-monitor

When enabled, creates for each user session monitoring process that builds traffic usage graphics for web interface. Disabled by default.

simultaneous

When this parameter is set to "disable", the service uses local user database to deny simultaneous logins for the same user. When RADIUS auth is used, it is preferable to use RADIUS mechanisms for the same task, but with local auth there is no choice. Enabled by default.

interface {spec} (a)

Listen on the specified interface.

nameserver {ipaddr} (a)

Supply nameserver {ipaddr} to the clients.

option {option}

Pass {option} to a pppd(8) process. For a detailed options description see the appropriate man page. Here are only few usable options:

debug

If there is a necessity to debug session flow, one has to set this option.

mppe ...

One has to set require-mschap-v2 option in order to have MPPE/MPPC working properly. MPPE/MPPC are enabled by default, but are used only if there is a client's capability. One can to set up option mppe required to deny a connect without MPPE/MPPC.

require-...

There are several authentication mechanisms that pppd(8) uses, such as PAP, CHAP, MSCHAP etc. The corresponding options are require-pap, require-chap, require-mschap, require-mschap-v2 etc.

To modify the local PAP authentication database, one has to use configure ppp pap, for other local auth types -- configure ppp chap.

radius-acct {ipaddr:port}

Use a RADIUS-server at {ipaddr:port} to send accounting to.

radius-auth {ipaddr:port}

Use a RADIUS-server at {ipaddr:port} to authenticate clients.

radius-key {ipaddr} {key} (a)

Use {key} when connecting to a RADIUS-server at {ipaddr}.

session-limit {number}

Number of concurrent sessions per service. The default value is 64.

Example 19. service pppoe: using RADIUS

!
interface ethernet 0
	mac 00:e0:18:8d:28:b6
!
interface ethernet 0.10
interface ethernet 0.15
interface ethernet 0.34
!
service pppoe test1
	interface ethernet 0.10
	interface ethernet 0.15
	interface ethernet 0.34
	announce Internet
	clamp-mss 1200
	enable radius
	radius-auth 10.0.0.10:1812
	radius-acct 10.0.0.10:1813
	radius-key  10.0.0.10  secret
	session-limit 1024
	nameserver 217.170.64.5
	nameserver 217.170.67.5
!
					

Example 20. service pppoe: local authentication

!
service pppoe test2
	interface ethernet 1
	announce Test
	option require-mschap-v2
	option mppe required
	option debug
	disable simultaneous
!
	
					

service pppoe-client [name]

PPPoE client section.

access-list {name}

Use an access-list {name} to firewall the session.

acn {name}

Use {name} as a preferred access server.

clamp-mss {MSS}

Clamp incoming and outcoming TCP MSS values to the specified value in bytes.

interface {spec} (a)

Try to connect from a specified interface. If multiple interfaces are given, create a client process on every specified interface.

option {option}

Pass {option} to the pppd(8) process. For a detailed options description see the appropriate man page. In addition to specified in the "service pppoe" section:

defaultroute

Set a route to a peer as the default one.

user

Use credentials for {user} from an appropriate password database (show ppp pap or show ppp chap).

service {name}

Use {name} as a preferred service.

Example 21. service pppoe-client

!
access-list standard
	accept proto tcp dport 22
	accept proto tcp dport 80
	accept proto udp sport 53
	accept proto udp dport 123
	accept proto tcp dport 1024:65535
!
access-list reject
	reject any
!
access-list masq
	masquerade any
!
service pppoe-client zlonet
	interface ethernet 0
	access-list standard in
	access-list reject in priority 100
	accsss-list masq out
	option user ptest
	option defaultroute
	clamp-mss 1412
!
			

service pptp [name]

PPTP server section.

access-list {name}

Use an access-list {name} to firewall the session.

address {ipaddr}

Start the service on the address specified by {ipaddr}.

bcrelay {interface}

Relay broadcast packets from an interface (e.g., eth0) to a client.

local {ipaddr}

Use an IP address {ipaddr} for a local tunnel interface.

remote {spec}

Use an IP address range {spec} to announce to PPTP clients. See the range spec example in the config code below.

option {option}

Pass {option} to the pppd(8) process. For a detailed options description see the appropriate man page and ppp sections above.

Example 22. service pptp

!
service pptp
	local 10.0.0.1
	remote 10.0.0.2-120
	bcrelay eth0
	option mppe required
	option require-mschap-v2
	option debug
!
			

service pptp-client [name]

PPTP client section.

access-list {name}

Use an access-list {name} to firewall the session.

peer {ipaddr}

PPTP server to connect to.

option {option}

Pass {option} to the pppd(8) process. For a detailed options description see the appropriate man page and ppp sections above.

Example 23. service pptp-client

!
service pptp-client
	peer 192.168.0.1
	option user ptest
	option persist
	option maxfail 0
	option debug
!
			

service syslog

System logger service. Syslog is running anyway, but the local logfile is limited in size. To collect log archives, one can use a remote log-server and define "service syslog" with "remote" option on the RAD GNU/Linux.

remote {server}

Use {server} as a log-server. All system log will be duplicated to it. The {server} parameter can be either ipaddr or a hostname.

Example 24. service syslog

!
service syslog
	remote 192.168.0.100
!
			

virtual {name}

Define a virtual server. This section can be used only after the system is installed onto harddisk and must be defined before install virtual name {name} from {url}.

shell {path}

A shell to use when enter a virtual server from the RAD GNU/Linux' system shell. An absolute path hast to be given. By default the shell path is /bin/bash.

size {spec}

The size of a virtual server's partition. Each virtual server resides on its own LVM partition which can be resized. Every time the virtual restarts, the system configurator checks this parameter and resize the partition if needed. Note, that this is a mandatory parameter. Size may be given in G or M (for gigabytes and megabytes respectively).

start {init}

An absolute path to the system init. Ususally, the standard init(8) program can not be used in a virtual environment; so, RAD GNU/Linux provides it's own simple init program and installs it as /usr/local/sbin/init. This program reads the standard /etc/inittab and runs programs for the default runlevel after the sysinit entry. Note, that rc.sysinit (usually defined as sysinit inittab entry) also is not usable in a virtual server 'cause it tries to mount partitions and then fails.

In case of extraordinary system configuration, one can provide a different program to use as init.

resource-list {name}

Use resource-list {name} to limit system resources.

Example 25. virtual server definition

!
resource-list test
	address 10.0.0.1/24
	scheduler hard 5%
!
virtual test
	size 1G
	shell /usr/local/bin/pdksh
	resource-list test
!
					

vlan {interface.vlan}

VLAN virtual interface. Such interface can be set up on the top of an ethernet interface. Definition of the VLAN interface is almost equal to Cisco directive "swithcport trunk allowed vlan X". Note, that the real ethernet must be connected to the trunk channel.

Config syntax is "vlan {interface type} X.Y", where X is the real interface number and Y is a VLAN number.

Example 26. vlan interface

!
! set up real ethernet before vlan:
!
interface ethernet 0
!
! after ethernet device is set, set up vlans:
!
vlan ethernet 0.211
	address 192.168.0.1/24
!
vlan ethernet 0.212
	address 192.168.1.1/24
!
			

GNU Free Documentation License


GNU Free Documentation License
  Version 1.2, November 2002


 Copyright (C) 2000,2001,2002  Free Software Foundation, Inc.
     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other
functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it,
with or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible
for modifications made by others.

This License is a kind of "copyleft", which means that derivative
works of the document must themselves be free in the same sense.  It
complements the GNU General Public License, which is a copyleft
license designed for free software.

We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does.  But this License is not limited to software manuals;
it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book.  We recommend this License
principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License.  Such a notice grants a
world-wide, royalty-free license, unlimited in duration, to use that
work under the conditions stated herein.  The "Document", below,
refers to any such manual or work.  Any member of the public is a
licensee, and is addressed as "you".  You accept the license if you
copy, modify or distribute the work in a way requiring permission
under copyright law.

A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall subject
(or to related matters) and contains nothing that could fall directly
within that overall subject.  (Thus, if the Document is in part a
textbook of mathematics, a Secondary Section may not explain any
mathematics.)  The relationship could be a matter of historical
connection with the subject or with related matters, or of legal,
commercial, philosophical, ethical or political position regarding
them.

The "Invariant Sections" are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says that the Document is released under this License.  If a
section does not fit the above definition of Secondary then it is not
allowed to be designated as Invariant.  The Document may contain zero
Invariant Sections.  If the Document does not identify any Invariant
Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the Document is released under this License.  A Front-Cover Text may
be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the
general public, that is suitable for revising the document
straightforwardly with generic text editors or (for images composed of
pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or
for automatic translation to a variety of formats suitable for input
to text formatters.  A copy made in an otherwise Transparent file
format whose markup, or absence of markup, has been arranged to thwart
or discourage subsequent modification by readers is not Transparent.
An image format is not Transparent if used for any substantial amount
of text.  A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML
or XML using a publicly available DTD, and standard-conforming simple
HTML, PostScript or PDF designed for human modification.  Examples of
transparent image formats include PNG, XCF and JPG.  Opaque formats
include proprietary formats that can be read and edited only by
proprietary word processors, SGML or XML for which the DTD and/or
processing tools are not generally available, and the
machine-generated HTML, PostScript or PDF produced by some word
processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself,
plus such following pages as are needed to hold, legibly, the material
this License requires to appear in the title page.  For works in
formats which do not have any title page as such, "Title Page" means
the text near the most prominent appearance of the work's title,
preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose
title either is precisely XYZ or contains XYZ in parentheses following
text that translates XYZ in another language.  (Here XYZ stands for a
specific section name mentioned below, such as "Acknowledgements",
"Dedications", "Endorsements", or "History".)  To "Preserve the Title"
of such a section when you modify the Document means that it remains a
section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which
states that this License applies to the Document.  These Warranty
Disclaimers are considered to be included by reference in this
License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has
no effect on the meaning of this License.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies
to the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License.  You may not use
technical measures to obstruct or control the reading or further
copying of the copies you make or distribute.  However, you may accept
compensation in exchange for copies.  If you distribute a large enough
number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and
you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have
printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on
the back cover.  Both covers must also clearly and legibly identify
you as the publisher of these copies.  The front cover must present
the full title with all words of the title equally prominent and
visible.  You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve
the title of the Document and satisfy these conditions, can be treated
as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
pages.

If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along with each Opaque copy, or state in or with each Opaque copy
a computer-network location from which the general network-using
public has access to download using public-standard network protocols
a complete Transparent copy of the Document, free of added material.
If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure
that this Transparent copy will remain thus accessible at the stated
location until at least one year after the last time you distribute an
Opaque copy (directly or through your agents or retailers) of that
edition to the public.

It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give
them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release
the Modified Version under precisely this License, with the Modified
Version filling the role of the Document, thus licensing distribution
and modification of the Modified Version to whoever possesses a copy
of it.  In addition, you must do these things in the Modified Version:

A. Use in the Title Page (and on the covers, if any) a title distinct
   from that of the Document, and from those of previous versions
   (which should, if there were any, be listed in the History section
   of the Document).  You may use the same title as a previous version
   if the original publisher of that version gives permission.
B. List on the Title Page, as authors, one or more persons or entities
   responsible for authorship of the modifications in the Modified
   Version, together with at least five of the principal authors of the
   Document (all of its principal authors, if it has fewer than five),
   unless they release you from this requirement.
C. State on the Title page the name of the publisher of the
   Modified Version, as the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications
   adjacent to the other copyright notices.
F. Include, immediately after the copyright notices, a license notice
   giving the public permission to use the Modified Version under the
   terms of this License, in the form shown in the Addendum below.
G. Preserve in that license notice the full lists of Invariant Sections
   and required Cover Texts given in the Document's license notice.
H. Include an unaltered copy of this License.
I. Preserve the section Entitled "History", Preserve its Title, and add
   to it an item stating at least the title, year, new authors, and
   publisher of the Modified Version as given on the Title Page.  If
   there is no section Entitled "History" in the Document, create one
   stating the title, year, authors, and publisher of the Document as
   given on its Title Page, then add an item describing the Modified
   Version as stated in the previous sentence.
J. Preserve the network location, if any, given in the Document for
   public access to a Transparent copy of the Document, and likewise
   the network locations given in the Document for previous versions
   it was based on.  These may be placed in the "History" section.
   You may omit a network location for a work that was published at
   least four years before the Document itself, or if the original
   publisher of the version it refers to gives permission.
K. For any section Entitled "Acknowledgements" or "Dedications",
   Preserve the Title of the section, and preserve in the section all
   the substance and tone of each of the contributor acknowledgements
   and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document,
   unaltered in their text and in their titles.  Section numbers
   or the equivalent are not considered part of the section titles.
M. Delete any section Entitled "Endorsements".  Such a section
   may not be included in the Modified Version.
N. Do not retitle any existing section to be Entitled "Endorsements"
   or to conflict in title with any Invariant Section.
O. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant.  To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard.

You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list
of Cover Texts in the Modified Version.  Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity.  If the Document already
includes a cover text for the same cover, previously added by you or
by arrangement made by the same entity you are acting on behalf of,
you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified
versions, provided that you include in the combination all of the
Invariant Sections of all of the original documents, unmodified, and
list them all as Invariant Sections of your combined work in its
license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy.  If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by
adding at the end of it, in parentheses, the name of the original
author or publisher of that section if known, or else a unique number.
Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History"
in the various original documents, forming one section Entitled
"History"; likewise combine any sections Entitled "Acknowledgements",
and any sections Entitled "Dedications".  You must delete all sections
Entitled "Endorsements".


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in
the collection, provided that you follow the rules of this License for
verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this
License into the extracted document, and follow this License in all
other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, is called an "aggregate" if the copyright
resulting from the compilation is not used to limit the legal rights
of the compilation's users beyond what the individual works permit.
When the Document is included in an aggregate, this License does not
apply to the other works in the aggregate which are not themselves
derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on
covers that bracket the Document within the aggregate, or the
electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole
aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections.  You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers.  In case of a disagreement between
the translation and the original version of this License or a notice
or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements",
"Dedications", or "History", the requirement (section 4) to Preserve
its Title (section 1) will typically require changing the actual
title.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except
as expressly provided for under this License.  Any other attempt to
copy, modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License.  However,
parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such
parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions
of the GNU Free Documentation License from time to time.  Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.  See
http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this
License "or any later version" applies to it, you have the option of
following the terms and conditions either of that specified version or
of any later version that has been published (not as a draft) by the
Free Software Foundation.  If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation.


ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of
the License in the document and put the following copyright and
license notices just after the title page:

    Copyright (c)  YEAR  YOUR NAME.
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
    A copy of the license is included in the section entitled "GNU
    Free Documentation License".

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the "with...Texts." line with this:

    with the Invariant Sections being LIST THEIR TITLES, with the
    Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.

If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation.

If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of
free software license, such as the GNU General Public License,
to permit their use in free software.



[3] So, there cannot be # or ! in password definitions. This will be fixed soon.