1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
README for the ipip encapsulation daemon as distributed by Bdale Garbee, KB0G.
This is a derivation of Mike Westerhof's ipip daemon for Unix machines. Mike
provided code that worked for SunOS, I ported the daemon to HP-UX and BSD/OS,
and Ron Atkinson N8FOW and John Paul Morrison provided the tweaks for Linux.
As a Debian developer, whatever activity there is on maintaing this package
is now in the context of the Debian package. The BSD support should mostly
still work, but I haven't tested it in years. It should be trivial to unpack
and build these sources on non-Debian Linux systems, and not hard on any
system with BSD-style sockets.
To build the daemon:
# you've obviously already unpacked the source distribution. On BSD
# systems, I like to park it in /usr/src/local/ipip, and augment the
# Makefiles so that the daemon becomes part of the normal full build.
# make a copy of the correct Makefile, I like to symlink them and use
# RCS to manage the changes, but to each his own...
ln -s Makefile.BSD Makefile
or ln -s Makefile.Linux Makefile
# edit Makefile to set desired options, as documented below
# if you're on a BSD system, issue the following four make commands...
make obj
make depend
make
make install
# if you're on a Linux system, just do
make all
To install the daemon:
Look in the 'samples' subdirectory for examples of how to create a
config file, which defines interfaces, and a routes file, which sets
up the routing table. The 'bdale' subdirectory has a couple of
example configs, one very old one from Mike, one that represents
what Bdale ran for some years. The 'n8fow' subdirectory has Ron's
config files, which are perhaps more appropriate for Linux users. I
suggest you troll it all, though, and see what's there.
Got questions? Ask. It'll help motivate me/us to improve the docs!
To re-build the daemon if you make source changes:
# if you're on BSD, just do a
make
# if you're on Linux, do
make clean ; make all
Logging output is handled via syslog. We use the LOCAL0 service specifier
in syslog's configuration file by default. As a result, make sure to look
for errors in the /var/log/local0 (BSD) or /var/adm/local0 (Linux) or
/usr/adm/local0 (HP-UX) file, and arrange for appropriate log rotation. You
can send a SIGHUP to the daemon after rotating log files and/or loading new
routing information to get it to "restart". You probably also need to SIGHUP
syslogd to note the log rotation.
The following options are available when running the program (yeah, there
should be a man page, but "life is short and the ROM is full"):
Options are:
-help Print this summary of options
-v Print just the version number and exit
-c file Use the supplied filename as the config file
-r file Use the supplied filename as the route file
-s n Report statistics every n minutes
-np Don't print the ipip[1234]: prefix
-nts Don't include a timestamp in the statistics
-t Turn on tracing of incoming packets
-d Print out some debugging information
There is one option in the Makefile. If you include -DAMPRONLY, then any
packets which do not have both source and destination addresses in network
44 get dropped on the floor. After we had a non-ham on the Internet attack
one of our net-44 subnets, we implemented this firewall, and now use a mixture
of MX records pointing via a dual-homed host and socks services to do
everything we want from the network 44 side while presenting a blank wall to
non-net-44 initiated connections. Ugly, but it works. Someday when I'm
resting, I'll put screend up to manage the firewall and return the ipip
daemon to being "transparent". But not today...
If you have questions about this stuff, I can be reached as bdale@gag.com. If
you make changes or improvements, please send them along so I can update
the distribution.
|
