https://wiki.archlinux.org/api.php?action=feedcontributions&user=Foucault&feedformat=atomArchWiki - User contributions [en]2024-03-29T09:25:43ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Kernel_parameters&diff=457717Kernel parameters2016-11-24T16:36:45Z<p>Foucault: /* Parameter list */ Add the resume= parameter</p>
<hr />
<div>[[Category:Kernel]]<br />
[[es:Kernel parameters]]<br />
[[ja:カーネルパラメータ]]<br />
[[ru:Kernel parameters]]<br />
[[zh-CN:Kernel parameters]]<br />
There are three ways to pass options to the kernel and thus control its behaviour:<br />
<br />
# When building the kernel. See [[Kernel Compilation]] for details.<br />
# When starting the kernel (usually, when invoked from a boot loader).<br />
# At runtime (through the files in {{ic|/proc}} and {{ic|/sys}}). See [[sysctl]] for details.<br />
<br />
This page now explains in more detail the second method and shows a list of most used kernel parameters in Arch Linux.<br />
<br />
== Configuration ==<br />
<br />
{{Note|<br />
* You can check the parameters your system was booted up with by running {{ic|$ cat /proc/cmdline}} and see if it includes your changes.<br />
* The Arch Linux [https://www.archlinux.org/download/ installation medium] uses [[Syslinux]] for [[Wikipedia:BIOS|BIOS]] systems, and [[systemd-boot]] for [[UEFI]] systems.}}<br />
<br />
Kernel parameters can be set either temporarily by editing the boot menu when it shows up, or by modifying the boot loader's configuration file.<br />
<br />
The following examples add the {{ic|quiet}} and {{ic|splash}} parameters to [[Syslinux]], [[systemd-boot]], [[GRUB]], [[GRUB Legacy]], [[LILO]], and [[rEFInd]].<br />
<br />
=== Syslinux ===<br />
<br />
* Press {{ic|Tab}} when the menu shows up and add them at the end of the string:<br />
<br />
: {{bc|1=linux /boot/vmlinuz-linux root=/dev/sda3 initrd=/boot/initramfs-linux.img ''quiet splash''}}<br />
<br />
: Press {{ic|Enter}} to boot with these parameters.<br />
<br />
* To make the change persistent after reboot, edit {{ic|/boot/syslinux/syslinux.cfg}} and add them to the {{ic|APPEND}} line:<br />
<br />
: {{bc|1=APPEND root=/dev/sda3 ''quiet splash''}}<br />
<br />
For more information on configuring Syslinux, see the [[Syslinux]] article.<br />
<br />
=== systemd-boot ===<br />
<br />
* Press {{ic|e}} when the menu appears and add the parameters to the end of the string:<br />
<br />
: {{bc|1=initrd=\initramfs-linux.img root=/dev/sda2 ''quiet splash''}}<br />
<br />
: Press {{ic|Enter}} to boot with these parameters.<br />
<br />
{{Note|If you have not set a value for menu timeout, you will need to hold {{ic|Space}} while booting for the systemd-boot menu to appear.}}<br />
<br />
* To make the change persistent after reboot, edit {{ic|/boot/loader/entries/arch.conf}} (assuming you set up your [[EFI System Partition]]) and add them to the {{ic|options}} line:<br />
<br />
: {{bc|1=options root=/dev/sda2 ''quiet splash''}}<br />
<br />
For more information on configuring systemd-boot, see the [[systemd-boot]] article.<br />
<br />
=== GRUB ===<br />
<br />
* Press {{ic|e}} when the menu shows up and add them on the {{ic|linux}} line:<br />
<br />
: {{bc|1=linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff ''quiet splash''}}<br />
<br />
: Press {{ic|Ctrl+x}} to boot with these parameters.<br />
<br />
* To make the change persistent after reboot, while you ''could'' manually edit {{ic|/boot/grub/grub.cfg}} with the exact line from above, the best practice is to:<br />
<br />
:Edit {{ic|/etc/default/grub}} and append your kernel options to the {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} line:<br />
<br />
:: {{bc|1=GRUB_CMDLINE_LINUX_DEFAULT="''quiet splash''"}}<br />
<br />
:And then automatically re-generate the {{ic|grub.cfg}} file with:<br />
<br />
:: {{bc|# grub-mkconfig -o /boot/grub/grub.cfg}}<br />
<br />
For more information on configuring GRUB, see the [[GRUB]] article.<br />
<br />
=== GRUB Legacy ===<br />
<br />
* Press {{ic|e}} when the menu shows up and add them on the {{ic|kernel}} line:<br />
<br />
: {{bc|1=kernel /boot/vmlinuz-linux root=/dev/sda3 ''quiet splash''}}<br />
<br />
: Press {{ic|b}} to boot with these parameters.<br />
<br />
* To make the change persistent after reboot, edit {{ic|/boot/grub/menu.lst}} and add them to the {{ic|kernel}} line, exactly like above.<br />
<br />
For more information on configuring GRUB Legacy, see the [[GRUB Legacy]] article.<br />
<br />
=== LILO ===<br />
<br />
* Add them to {{ic|/etc/lilo.conf}}:<br />
<br />
: {{bc|<nowiki><br />
image=/boot/vmlinuz-linux<br />
...<br />
</nowiki>''quiet splash''}}<br />
<br />
For more information on configuring LILO, see the [[LILO]] article.<br />
<br />
=== rEFInd ===<br />
<br />
* To make the change persistent after reboot, edit {{ic|/boot/refind_linux.conf}} and append them to all/required lines, for example<br />
<br />
: {{bc|1="Boot using default options" "root=PARTUUID=978e3e81-8048-4ae1-8a06-aa727458e8ff rw ''quiet splash''"}}<br />
<br />
* If you have disabled auto-detection of OSes in rEFInd and are defining OS stanzas instead in {{ic|''esp''/refind/refind.conf}} to load your OSes, you can edit it like:<br />
<br />
: {{bc|<nowiki><br />
menuentry "Arch Linux" {<br />
...<br />
options "root=PARTUUID=978e3e81-8048-4ae1-8a06-aa727458e8ff rw quiet splash"<br />
...<br />
}<br />
</nowiki>}}<br />
<br />
For more information on configuring kernel parameters in rEFInd, see [http://www.rodsbooks.com/refind/linux.html Configuring the rEFInd Bootmanager]<br />
<br />
=== EFISTUB ===<br />
<br />
See [[EFISTUB#Using UEFI directly]].<br />
<br />
=== Hijacking cmdline ===<br />
<br />
Even without access to your bootloader it is possible to change your kernel parameters to enable debugging (if you have root access). This can be accomplished by overwriting {{ic|/proc/cmdline}} which stores the kernel parameters. However {{ic|/proc/cmdline}} is not writable even as root, so this hack is accomplished by using a bind mount to mask the path.<br />
<br />
First create a file containing the desired kernel parameters<br />
<br />
{{hc|/root/cmdline|2=root=/dev/disk/by-label/ROOT ro console=tty1 logo.nologo debug}}<br />
<br />
Then use a bind mount to overwrite the parameters<br />
<br />
# mount -n --bind -o ro /root/cmdline /proc/cmdline<br />
<br />
The {{ic|-n}} option skips adding the mount to {{ic|/etc/mtab}}, so it will work even if root is mounted read-only. You can {{ic|cat /proc/cmdline}} to confirm that your change was successful.<br />
<br />
== Parameter list ==<br />
<br />
Parameters always come in {{ic|parameter}} or {{ic|1=parameter=value}}. All of these parameters are case-sensitive.<br />
<br />
{{Note|Not all of the listed options are always available. Most are associated with subsystems and work only if the kernel is configured with those subsystems built in. They also depend on the presence of the hardware they are associated with.}}<br />
<br />
{| class="wikitable"<br />
!parameter!!Description<br />
|-<br />
| root= || Root filesystem.<br />
|-<br />
| rootflags= || Root filesystem mount options.<br />
|-<br />
| ro || Mount root device read-only on boot (default<sup>1</sup>).<br />
|-<br />
| rw || Mount root device read-write on boot.<br />
|-<br />
| initrd=|| Specify the location of the initial ramdisk.<br />
|-<br />
| init= || Run specified binary instead of {{ic|/sbin/init}} (symlinked to [[systemd]] in Arch) as init process.<br />
|-<br />
| init=/bin/sh || Boot to shell.<br />
|-<br />
| systemd.unit= || Boot to a [[systemd#Targets table|specified target]].<br />
|-<br />
| resume= || Specify a swap device to use when waking from [[Hibernate|hibernation]]<br />
|-<br />
| nomodeset || Disable [[Kernel mode setting]].<br />
|-<br />
| zswap.enabled || Enable [[Zswap]].<br />
|-<br />
| video=<videosetting> || Override framebuffer video defaults.<br />
|}<br />
<br />
<sup>1</sup> [[mkinitcpio]] uses {{ic|ro}} as default value when neither {{ic|rw}} or {{ic|ro}} is set by the [[boot loader]]. Boot loaders may set the value to use, for example GRUB uses {{ic|rw}} by default (see {{Bug|36275}} as a reference).<br />
<br />
For a complete list of all options, please see the [https://www.kernel.org/doc/Documentation/kernel-parameters.txt kernel documentation].<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/kernel-parameters.txt Linux "Kernel Parameters" documentation]<br />
* [[Power saving#Kernel parameters]]<br />
* [http://files.kroah.com/lkn/lkn_pdf/ch09.pdf List of kernel parameters with further explanation and grouped by similar options]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Talk:Router&diff=369350Talk:Router2015-04-11T15:49:47Z<p>Foucault: /* IPv6 cleanup */ new section</p>
<hr />
<div>The section on how to edit {{ic|/etc/dhcpcd.conf}} for DHCPv6-PD mentions the lines below. But {{ic|ia_pd}} and {{ic|ipv6only}} seem to be undocumented features of dhcpcd. This also needs more context as these lines don't work when you just paste them in the config file (besides matching the interface names ofcourse)<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
Just a heads up for those beings as confused as I.<br />
<br />
[[User:Erikvanvelzen|Erikvanvelzen]] ([[User talk:Erikvanvelzen|talk]]) 17:37, 26 May 2014 (UTC)<br />
<br />
== The "conventions" for the ethernet device names are not consistent ==<br />
<br />
The Conventions section uses specific names for internal and external devices used for rotuing, but these conventions seem to be ignored or switched throughout the document. For example, "extern0" is referred to several times, though it is described as "extern1" in the Conventions section. [[User:Clvrmnky|Clvrmnky]] ([[User talk:Clvrmnky|talk]]) 18:17, 23 March 2015 (UTC)<br />
<br />
:Good catch. I found [https://wiki.archlinux.org/index.php?title=Router&diff=366932&oldid=358461]. If you saw more, please change accordingly. It would not be bad to rename them completely (e.g. "WAN" and "LAN"; "extern", "intern" is German not English), but consistency first. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 08:54, 24 March 2015 (UTC)<br />
<br />
== IPv6 cleanup ==<br />
<br />
I have moved most of the IPv6 information to the main IPv6 article and only kept some information that are mostly relevant for router configurations. I've added links to the main article where required.<br />
<br />
[[User:Foucault|Foucault]] ([[User talk:Foucault|talk]]) 15:49, 11 April 2015 (UTC)</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369349Router2015-04-11T15:47:30Z<p>Foucault: /* IPv6 */ Move most IPv6 information to the main IPv6; kept details that are of importance mainly for router configurations</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6 tips==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
=== Unique Local Addresses ===<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
=== Global Unicast Addresses ===<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can additionally assign global link addresses to your router and propagate them through SLAAC to your internal network. The global unicast prefix is usually either ''static'' or provided through ''prefix delegation''.<br />
<br />
==== Static IPv6 prefix ====<br />
<br />
If your ISP has provided you with a static prefix then edit {{ic|/etc/netctl/extern0-profile}} and simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
You can use this in addition to the ULA address described above.<br />
<br />
====Acquiring IPv6 prefix via DHCPv6-PD====<br />
<br />
If your ISP handles IPv6 via prefix delegation then you can follow the instructions in the [[IPv6|main IPv6 article]] on how to properly configure your router. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}.<br />
<br />
=== Router Advertisement and Stateless Autoconfiguration (SLAAC) ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. Follow the details on the [[IPv6#For_gateways|Main IPv6 article]] on how to setup {{ic|radvd}}. Following the convention of this guide the LAN facing interfaces is {{ic|intern0}}. You can either advertise all prefixes all choose which prefixes will be assigned to the local network.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369343Router2015-04-11T15:24:06Z<p>Foucault: /* Router Advertisement and Stateless Autoconfiguration (SLAAC) */ Moved SLAAC configuration to main IPv6 articles https://wiki.archlinux.org/index.php/IPv6#Stateless_autoconfiguration_.28SLAAC.29</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
=== Router Advertisement and Stateless Autoconfiguration (SLAAC) ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. Follow the details on the [[IPv6#For_gateways|Main IPv6 article]] on how to setup {{ic|radvd}}. Following the convention of this guide the LAN facing interfaces is {{ic|intern0}}.<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
You can acquire IPv6 via prefix delegation following the instructions in the [[IPv6|main IPv6 article]]. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}. You might need to update your Router Advertisement configuration to advertise all assigned {{ic|/64}} prefixes. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369342IPv62015-04-11T15:20:51Z<p>Foucault: /* For gateways */</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Stateless autoconfiguration (SLAAC) ==<br />
<br />
The easiest way to acquire an IPv6 address as long as your network is configured is through ''Stateless address autoconfiguration'' (SLAAC for short). The address is automatically inferred from the prefix that your router advertises and requires neither further configuration nor specialized software such as a DHCP client.<br />
<br />
=== For clients ===<br />
<br />
If you are using [[netctl]] you just need to add the following line to your ethernet or wireless configuration.<br />
<br />
IP6=stateless<br />
<br />
If you are using [[NetworkManager]] then it automatically enables IPv6 addresses if there are advertisements for them in the network.<br />
<br />
Please note that stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So for the client side the {{ic|ipv6-icmp}} packets must be accepted. If you are using the [[Simple stateful firewall]]/[[iptables]] you only need to add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
If you are using an other firewall frontend (ufw, shorewall, etc) consult their documentation on how to enable the {{ic|ipv6-icmp}} packets.<br />
<br />
=== For gateways ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
# replace LAN with your LAN facing interface<br />
interface LAN {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the advertised /64 block. Please note that the above configuration advertises ''all available prefixes'' assigned to the LAN facing interface. If you want to limit the advertised prefixes instead of {{ic|::/64}} use the desired prefix, eg {{ic|2001:DB8::/64}}. The {{ic|prefix}} block can be repeated many times for more prefixes.<br />
<br />
The gateway must also allow the traffic of {{ic|ipv6-icmp}} packets on all basic chains. For the [[Simple stateful firewall]]/[[iptables]] add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Adjust accordingly for other firewall frontends and don't forget to enable {{ic|radvd.service}}.<br />
<br />
== Privacy extensions ==<br />
<br />
When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the ''IPv6 Privacy Extensions'' standard ([https://tools.ietf.org/html/rfc4941 RFC 4941]) has been developed. With privacy extensions the kernel generates a ''temporary'' address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369341IPv62015-04-11T15:19:12Z<p>Foucault: /* Stateless autoconfiguration (SLAAC) */ Firewall tweaks for SLAAC</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Stateless autoconfiguration (SLAAC) ==<br />
<br />
The easiest way to acquire an IPv6 address as long as your network is configured is through ''Stateless address autoconfiguration'' (SLAAC for short). The address is automatically inferred from the prefix that your router advertises and requires neither further configuration nor specialized software such as a DHCP client.<br />
<br />
=== For clients ===<br />
<br />
If you are using [[netctl]] you just need to add the following line to your ethernet or wireless configuration.<br />
<br />
IP6=stateless<br />
<br />
If you are using [[NetworkManager]] then it automatically enables IPv6 addresses if there are advertisements for them in the network.<br />
<br />
Please note that stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So for the client side the {{ic|ipv6-icmp}} packets must be accepted. If you are using the [[Simple stateful firewall]]/[[iptables]] you only need to add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
If you are using an other firewall frontend (ufw, shorewall, etc) consult their documentation on how to enable the {{ic|ipv6-icmp}} packets.<br />
<br />
=== For gateways ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
# replace LAN with your LAN facing interface<br />
interface LAN {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the advertised /64 block. Please note that the above configuration advertises ''all available prefixes'' assigned to the LAN facing interface. If you want to limit the advertised prefixes instead of {{ic|::/64}} use the desired prefix, eg {{ic|2001:DB8::/64}}. The {{ic|prefix}} block can be repeated many times for more prefixes.<br />
<br />
The gateway must also allow the traffic of {{ic|ipv6-icmp}} packets on all basic chains. For the [[Simple stateful firewall]]/[[iptables]] add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Adjust accordingly for other firewall frontends.<br />
<br />
== Privacy extensions ==<br />
<br />
When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the ''IPv6 Privacy Extensions'' standard ([https://tools.ietf.org/html/rfc4941 RFC 4941]) has been developed. With privacy extensions the kernel generates a ''temporary'' address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369340IPv62015-04-11T15:12:08Z<p>Foucault: Reorganization of the text; moved privacy extensions after SLAAC</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Stateless autoconfiguration (SLAAC) ==<br />
<br />
The easiest way to acquire an IPv6 address as long as your network is configured is through ''Stateless address autoconfiguration'' (SLAAC for short). The address is automatically inferred from the prefix that your router advertises and requires neither further configuration nor specialized software such as a DHCP client.<br />
<br />
=== For clients ===<br />
<br />
If you are using [[netctl]] you just need to add the following line to your ethernet or wireless configuration.<br />
<br />
IP6=stateless<br />
<br />
If you are using [[NetworkManager]] then it automatically enables IPv6 addresses if there are advertisements for them in the network.<br />
<br />
=== For gateways ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
# replace LAN with your LAN facing interface<br />
interface LAN {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the advertised /64 block. Please note that the above configuration advertises ''all available prefixes'' assigned to the LAN facing interface. If you want to limit the advertised prefixes instead of {{ic|::/64}} use the desired prefix, eg {{ic|2001:DB8::/64}}. The {{ic|prefix}} block can be repeated many times for more prefixes.<br />
<br />
== Privacy extensions ==<br />
<br />
When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the ''IPv6 Privacy Extensions'' standard ([https://tools.ietf.org/html/rfc4941 RFC 4941]) has been developed. With privacy extensions the kernel generates a ''temporary'' address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369339IPv62015-04-11T15:04:31Z<p>Foucault: Add information for SLAAC</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== Stateless autoconfiguration (SLAAC) ==<br />
<br />
The easiest way to acquire an IPv6 address as long as your network is configured is through ''Stateless address autoconfiguration'' (SLAAC for short). The address is automatically inferred from the prefix that your router advertises and requires neither further configuration nor specialized software such as a DHCP client.<br />
<br />
=== For clients ===<br />
<br />
If you are using [[netctl]] you just need to add the following line to your ethernet or wireless configuration.<br />
<br />
IP6=stateless<br />
<br />
If you are using [[NetworkManager]] then it automatically enables IPv6 addresses if there are advertisements for them in the network.<br />
<br />
=== For gateways ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
# replace LAN with your LAN facing interface<br />
interface LAN {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the advertised /64 block. Please note that the above configuration advertises ''all available prefixes'' assigned to the LAN facing interface. If you want to limit the advertised prefixes instead of {{ic|::/64}} use the desired prefix, eg {{ic|2001:DB8::/64}}. The {{ic|prefix}} block can be repeated many times for more prefixes.<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369328IPv62015-04-11T14:49:25Z<p>Foucault: /* Prefix delegation (DHCPv6-PD) */ Note for prefix delegation</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369325IPv62015-04-11T14:41:29Z<p>Foucault: /* With WIDE-DHCPv6 */</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It is available in [https://aur.archlinux.org/packages/wide-dhcpv6/ AUR]<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369324IPv62015-04-11T14:40:41Z<p>Foucault: /* With dibbler */</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation. It is available in [https://aur.archlinux.org/packages/dibbler AUR].<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project.<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369323Router2015-04-11T14:34:40Z<p>Foucault: /* Connection sharing */ Spurious newline</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|1=IP6=stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple stateful firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
You can acquire IPv6 via prefix delegation following the instructions in the [[IPv6|main IPv6 article]]. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}. You might need to update your Router Advertisement configuration to advertise all assigned {{ic|/64}} prefixes. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369322IPv62015-04-11T14:33:47Z<p>Foucault: /* Prefix delegation (DHCPv6-PD) */ More formatting</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== With dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[Dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project.<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369321IPv62015-04-11T14:32:23Z<p>Foucault: /* Prefix delegation (DHCPv6-PD) */ Formatting</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
=== Dibbler ===<br />
<br />
[http://klub.com.pl/dhcpv6/ Dibbler] is a portable DHCPv6 client a server which can be used for Prefix delegation<br />
<br />
If you are using {{ic|dibbler}} edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
=== WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project.<br />
<br />
If you are using {{ic|wide-dhcpv6}} edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
=== dhcpcd ===<br />
<br />
[[Dhcpcd]] also provides support for prefix delegation. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369320IPv62015-04-11T14:25:39Z<p>Foucault: /* IPv6 and PPPoE */</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369319Router2015-04-11T14:21:48Z<p>Foucault: /* PPPoE and IPv6 */ Removed PPPoE and IPv6; moved to main IPv6 article https://wiki.archlinux.org/index.php/IPv6#IPv6_and_PPPoE</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|1=IP6=stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple stateful firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
You can acquire IPv6 via prefix delegation following the instructions in the [[IPv6|main IPv6 article]]. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}. You might need to update your Router Advertisement configuration to advertise all assigned {{ic|/64}} prefixes. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369318Router2015-04-11T14:21:20Z<p>Foucault: /* Acquiring WAN IPv6 via DHCPv6-PD */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|1=IP6=stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple stateful firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
You can acquire IPv6 via prefix delegation following the instructions in the [[IPv6|main IPv6 article]]. Following the conventions of this article the WAN interface is {{ic|extern0}} (or {{ic|ppp0}} if you are connecting through PPPoE) and the LAN interface is {{ic|intern0}}. You might need to update your Router Advertisement configuration to advertise all assigned {{ic|/64}} prefixes. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369317IPv62015-04-11T14:20:34Z<p>Foucault: Add info for PPPoE and IPv6</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{ic|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/pppoe.conf}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for pppoe then just add the following to your netctl configuration instead<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=369314Router2015-04-11T14:07:49Z<p>Foucault: /* Acquiring WAN IPv6 via DHCPv6-PD */ Moved Prefix Delegation information to the main IPv6 article</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Poor writing|The introduction states that this page "focuses on ''security''", but 99% is plain system configuration. It also needs massive deduplication, security is already covered [[Simple stateful firewall|elsewhere]].}}<br />
<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern0''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the {{ic|extern0}} interface of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|1=IP6=stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple stateful firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
You can acquire IPv6 via prefix delegation following the instructions in the [[IPv6|main IPv6 article]]. Following the conventions of this article the WAN interface is {{ic|extern0}} and the LAN interface is {{ic|intern0}}. You might need to update your Router Advertisement configuration to advertise all assigned {{ic|/64}} prefixes. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol daemon]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=IPv6&diff=369313IPv62015-04-11T14:02:31Z<p>Foucault: Added section for prefix delegation; in process of moving the information from https://wiki.archlinux.org/index.php/Router#IPv6</p>
<hr />
<div>[[Category:Networking]]<br />
[[es:IPv6]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
[[zh-CN:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
In Arch Linux, IPv6 is enabled by default. If you are looking for information regarding IPv6 tunnels, you may want to look at [[IPv6 tunnel broker setup]].<br />
<br />
== Privacy extensions ==<br />
<br />
To enable Privacy Extensions for Stateless Address Autoconfiguration in IPv6 according to [https://tools.ietf.org/html/rfc4941 RFC 4941], reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed. <br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]] includes in its default configuration file since version 6.4.0 the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [https://tools.ietf.org/html/rfc7217 RFC 7217] ([http://roy.marples.name/projects/dhcpcd/info/8aa9dab00dc72c453aeccbde885ecce27a3d81ff commit]). Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network.<br />
<br />
=== NetworkManager ===<br />
<br />
NetworkManager does not honour the settings placed in {{ic|/etc/sysctl.d/40-ipv6.conf}}. This can be verified by running {{ic|$ ip -6 addr show ''interface''}} after rebooting: no {{ic|scope global '''temporary'''}} address appears besides the regular one.<br />
<br />
See [[NetworkManager#Enable IPv6 Privacy Extensions]] for a workaround.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping6 ff02::1%eth0<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping6 -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Static address ==<br />
<br />
Sometime using static address can improve security. For example, if your local router uses Neighbor Discovery or radvd ([http://www.apps.ietf.org/rfc/rfc2461.html RFC 2461]), your interface will automatically be assigned an address based its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (ie. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP handles out a network prefix using DHCPv6 and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as ppp).<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
# use the interface connected to your WAN<br />
iface "WAN" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
To enable/start wide-dhcpv6 client use the following command. Change {{ic|WAN}} with the interface that is connected to your WAN.<br />
# systemctl enable/start dhcp6c@WAN.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
== IPv6 on Comcast ==<br />
<br />
{{ic|dhcpcd -4}} or {{ic|dhcpcd -6}} worked using a Motorola SURFBoard 6141 and a Realtek RTL8168d/8111d. Either would work, but would not run dual stack: both protocols and addresses on one interface. (The {{ic|-6}} command would not work if {{ic|-4}} ran first, even after resetting the interface. And when it did, it gave the NIC a /128 address.) Try these commands:<br />
<br />
# dhclient -4 enp3s0<br />
# dhclient -P -v enp3s0<br />
<br />
The {{ic|-P}} argument grabs a lease of the IPv6 prefix only. {{ic|-v}} writes to {{ic|stdout}} what is also written to {{ic|/var/lib/dhclient/dhclient6.leases}}:<br />
<br />
Bound to *:546<br />
Listening on Socket/enp3s0<br />
Sending on Socket/enp3s0<br />
PRC: Confirming active lease (INIT-REBOOT).<br />
XMT: Forming Rebind, 0 ms elapsed.<br />
XMT: X-- IA_PD a1:b2:cd:e2<br />
XMT: | X-- Requested renew +3600<br />
XMT: | X-- Requested rebind +5400<br />
XMT: | | X-- '''IAPREFIX 1234:5:6700:890::/64'''<br />
<br />
{{ic|IAPREFIX}} is the necessary value. Substitute {{ic|::1}} before the CIDR slash to make the prefix a real address:<br />
<br />
# ip -6 addr add 1234:5:6700:890::1/64 dev enp3s0<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following sysctl config to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when sysctl settings are applied.<br />
<br />
Note 2, if disabling IPv6 by sysctl, you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}:<br />
<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain localhost<br />
#::1 localhost.localdomain localhost<br />
<br />
otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{ic|dhcpcd.conf (5)}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
{{Poor writing|Specific approach to disable via GUI}}<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''<br />
<br />
Then click "Save".<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[Systemd#Drop-in snippets]], change how systemd starts {{ic|ntpd.service}}:<br />
<br />
# systemctl edit ntpd.service<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ntp daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
== See also ==<br />
<br />
* [https://www.kernel.org/doc/Documentation/networking/ipv6.txt IPv6] - kernel.org documentation<br />
* [http://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] - a summary about temporary addresses and privacy extensions<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html IPv6 prefixes] - a summary of prefix types<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html net.ipv6 options] - documentation of kernel parameters</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=311305Router2014-04-21T12:56:53Z<p>Foucault: /* Acquiring WAN IPv6 via DHCPv6-PD */ sla-len depends on the wan prefix.</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Installation guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
Make sure you added the firewall exceptions for DHCP and Domain, if you want to use Dnsmasq:<br />
<br />
* Insert Rules:<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 67 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p udp -m udp --dport 53 -j ACCEPT<br />
# iptables -t filter -I INPUT -i intern0 -p tcp -m tcp --dport 53 -j ACCEPT<br />
<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
{{Merge|IPv6|Merge into the main article, the topic is not specific to ''router configuration''. The wording should be probably changed along the way.}}<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|1=IP6=stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple stateful firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using [[wikipedia:Prefix_delegation|DHCPv6-PD]] you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are {{AUR|dibbler}}, {{AUR|wide-dhcpv6}} and {{Pkg|dhcpcd}}. ISC's {{Pkg|dhclient}} should also work, but documentation on prefix delegation is scarce.<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
{{Note|{{ic|sla-len}} should be set so that (WAN-PREFIX)+{{ic|sla-len}}<nowiki>=</nowiki>64. In this case it is set up for a /56 prefix (56+8<nowiki>=</nowiki>64). For a /64 prefix {{ic|sla-len}} should be 0.}}<br />
<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration. If you would like to use it for IPv6 only uncomment the third line.<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
This configuration will ask for a prefix from WAN (interface {{ic|extern0}}) and delegate it to the internal interface ({{ic|intern0}}).<br />
<br />
Because this configuration will neither solicit nor accept router advertisements no default route will be set. The kernel IPv6 stack can be allowed to set a dynamic default route with:<br />
<br />
sysctl -w net.ipv6.conf.extern0.accept_ra=2<br />
<br />
Or to have it persist after reboot:<br />
<br />
echo net.ipv6.conf.extern0.accept_ra = 2 > /etc/sysctl.d/80-ipv6dynroute.conf<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=282164Router2013-11-10T00:26:41Z<p>Foucault: /* ADSL connection/PPPoE */ Style</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the {{ic|extern0-profile}} as the external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be {{ic|extern0}}. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using [https://en.wikipedia.org/wiki/Prefix_delegation DHCPv6-PD] you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler], [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6] and [https://www.archlinux.org/packages/?sort=&q=dhcpcd&maintainer=&flagged= dhcpcd]. [https://www.archlinux.org/packages/?sort=&q=dhclient&maintainer=&flagged= ISC dhclient] should also work, but documentation on prefix delegation is scarce.<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration. If you would like to use it for IPv6 only uncomment the third line.<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
This configuration will ask for a prefix from WAN (interface {{ic|extern0}}) and delegate it to the internal interface ({{ic|intern0}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=282163Router2013-11-10T00:24:07Z<p>Foucault: /* Acquiring WAN IPv6 via DHCPv6-PD */ Styling</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using [https://en.wikipedia.org/wiki/Prefix_delegation DHCPv6-PD] you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler], [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6] and [https://www.archlinux.org/packages/?sort=&q=dhcpcd&maintainer=&flagged= dhcpcd]. [https://www.archlinux.org/packages/?sort=&q=dhclient&maintainer=&flagged= ISC dhclient] should also work, but documentation on prefix delegation is scarce.<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
{{Tip|Read manpage '''{{ic|dibbler-client(8)}}''' for more information.}}<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
{{Tip|Read manpages '''{{ic|dhcp6c(8)}}''' and '''{{ic|dhcp6c.conf(5)}}''' for more information.}}<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration. If you would like to use it for IPv6 only uncomment the third line.<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
This configuration will ask for a prefix from WAN (interface {{ic|extern0}}) and delegate it to the internal interface ({{ic|intern0}}).<br />
<br />
{{Tip|Also read: manpages '''{{ic|dhcpcd(8)}}''' and '''{{ic|dhcpcd.conf(5)}}'''.}}<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=282161Router2013-11-10T00:20:34Z<p>Foucault: /* PPPoE and IPv6 */ Notice on dhclient</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using [https://en.wikipedia.org/wiki/Prefix_delegation DHCPv6-PD] you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler], [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6] and [https://www.archlinux.org/packages/?sort=&q=dhcpcd&maintainer=&flagged= dhcpcd]. [https://www.archlinux.org/packages/?sort=&q=dhclient&maintainer=&flagged= ISC dhclient] should also work, but documentation on prefix delegation is scarce.<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
Recommended read: manpage {{ic|dibbler-client(8)}} for more information.<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
Recommended read: manpages {{ic|dhcp6c(8)}} and {{ic|dhcp6c.conf(5)}} for more information.<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration. If you would like to use it for IPv6 only uncomment the third line.<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
This configuration will ask for a prefix from WAN (interface {{ic|extern0}}) and delegate it to the internal interface ({{ic|intern0}}).<br />
<br />
Also read: manpages {{ic|dhcpcd(8)}} and {{ic|dhcpcd.conf(5)}}<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
{{Warning|dhclient does not support DHCP6-PD via PPP}}<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=282160Router2013-11-10T00:16:35Z<p>Foucault: /* Acquiring WAN IPv6 via DHCPv6-PD */ Additional config info for DHCP6-PD and dhcpcd</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Sharing]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative. See [[Shorewall]] for detailed configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using [https://en.wikipedia.org/wiki/Prefix_delegation DHCPv6-PD] you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler], [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6] and [https://www.archlinux.org/packages/?sort=&q=dhcpcd&maintainer=&flagged= dhcpcd]. [https://www.archlinux.org/packages/?sort=&q=dhclient&maintainer=&flagged= ISC dhclient] should also work, but documentation on prefix delegation is scarce.<br />
<br />
For '''dibbler''' edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
Recommended read: manpage {{ic|dibbler-client(8)}} for more information.<br />
<br />
For '''wide-dhcpv6''' edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
Recommended read: manpages {{ic|dhcp6c(8)}} and {{ic|dhcp6c.conf(5)}} for more information.<br />
<br />
For '''dhcpcd''' edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration. If you would like to use it for IPv6 only uncomment the third line.<br />
<br />
duid<br />
noipv6rs<br />
#ipv6only<br />
interface extern0<br />
ia_pd 1 intern0<br />
<br />
This configuration will ask for a prefix from WAN (interface {{ic|extern0}}) and delegate it to the internal interface ({{ic|intern0}}).<br />
<br />
Also read: manpages {{ic|dhcpcd(8)}} and {{ic|dhcpcd.conf(5)}}<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [[Wikipedia:UPnP|UPnP]] support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications require this to function correctly.<br />
<br />
To enable UPnP on your router, you need to install an UPnP Internet gateway daemon (IGD). To get it, install {{Pkg|miniupnpd}} from the [[official repositories]].<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Sharing]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=269579Router2013-08-03T12:51:24Z<p>Foucault: /* Static WAN IPv6 */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using DHCPv6-PD you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler] and [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6]. For dibbler edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
and for wide-dhcpv6 edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=269521Router2013-08-02T23:47:01Z<p>Foucault: /* IPv6 */ typos</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simply add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4: http://192.168.1.2:8112/Greece_europe_2.obf :6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using DHCPv6-PD you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler] and [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6]. For dibbler edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
and for wide-dhcpv6 edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcp6c@extern0.service<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=269485Router2013-08-02T18:20:02Z<p>Foucault: /* Static WAN IPv6 */ typo</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simple add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev extern0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using DHCPv6-PD you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler] and [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6]. For dibbler edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
and for wide-dhcpv6 edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcpv6c@extern0.service<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=269483Router2013-08-02T18:15:07Z<p>Foucault: /* IPv6 */ Configuration for IPv6 routers</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==IPv6==<br />
<br />
''Useful reading: [[IPv6]] and the [https://en.wikipedia.org/wiki/IPv6 Wikipedia IPv6 entry].''<br />
<br />
You can use your router in IPv6 mode even if you do not have an IPv6 address from your ISP. Unless you disable IPv6 all interfaces should have been assigned a unique {{ic|fe80::/10}} address.<br />
<br />
For internal networking the block {{ic|fc00::/7}} has been reserved. These addresses are guaranteed to be unique and non-routable from the open internet. Addresses that belong to the {{ic|fc00::/7}} block are called [http://en.wikipedia.org/wiki/Unique_local_address Unique Local Addresses]. To get started [http://www.simpledns.com/private-ipv6.aspx generate a ULA /64 block] to use in your network. For this example we will use {{ic|fd00:aaaa:bbbb:cccc::/64}}. Firstly we must assign a static IPv6 on the internal interface. Modify the {{ic|intern0-profile}} we created above to include the following line<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::1/64 dev intern0')<br />
This will add the ULA to the internal interface. As far as the router goes, this is all you need to configure.<br />
<br />
===Router Advertisement and Stateless Autoconfiguration (SLAAC)===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{ic|radvd}} and is available in {{ic|[community]}}. Configuration of radvd is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the specified /64 block. Addresses on the clients are uniquely generated using the MAC address of the connected interface and are optionally mangled for security reasons if [[IPv6#Privacy_Extensions|privacy extensions]] are enabled (which is recommended to do). On the client side you need to enable {{ic|IP6&#61;stateless}} in your active netctl profile. If you want a static IP as well add<br />
IPCustom=('-6 addr add fd00:aaaa:bbbb:cccc::2/64 dev eth0')<br />
<br />
Don't forget to enable radvd.service<br />
<br />
====Firewall tweaks====<br />
<br />
Stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So some firewall tweaks are required on both ends of the network for it to work properly. On the '''client side''' all you need to do is allow the {{ic|ipv6-icmp}} protocol on the INPUT chain. If you are using [[Simple Stateful Firewall]] you only need to add<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
You can limit it to internal network using {{ic|-s fd00:aaaa:bbbb:cccc::/64}} and/or {{ic|-s fe80::/10}} if you feel it is a security threat. Additionally you must add the same rules to your router firewall but extending it to the OUTPUT and FORWARD chains as well.<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Again, you can limit it to the internal network for the INPUT chain.<br />
<br />
{{Expansion|More information on IPv6 firewalls required}}<br />
{{Expansion|Additional info on running DHCPv6 server instead of SLAAC}}<br />
<br />
===Global Unicast Addresses===<br />
<br />
====Static WAN IPv6====<br />
<br />
If your ISP or WAN network can access the IPv6 Internet you can assign global link addresses to your router and propagate them through SLAAC to your internal network. If you can use a Static IPv6 all you must do is add it to your external profile and enable it the advertisement of the global unicast block in {{ic|radvd.conf}}.<br />
<br />
In {{ic|/etc/netctl/extern0-profile}} simple add the IPv6 and the IPv6 prefix (usually /64) you have been provided<br />
<br />
IPCustom=('-6 addr add 2002:1:2:3:4:5:6:7/64 dev eth0')<br />
<br />
and edit {{ic|/etc/radvd.conf}} to include the new advertisement block.<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix fd00:aaaa:bbbb:cccc::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
prefix 2002:1:2:3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
In that way your internal network clients will also get a Global IPv6 address. This IP is routable from the open internet, so adjust your firewalls. Please note that global and local IPv6s can co-exist on the same interface without further configuration.<br />
<br />
====Acquiring WAN IPv6 via DHCPv6-PD====<br />
<br />
If your ISP handles out IPv6s using DHCPv6-PD you will need to use a DHCPv6 client to get the IP from your ISP. Common such programs are [https://aur.archlinux.org/packages.php?O=0&L=0&C=0&K=dibbler dibbler] and [https://aur.archlinux.org/packages/wide-dhcpv6 wide-dhcpv6]. For dibbler edit {{ic|/etc/dibbler/client.conf}}<br />
<br />
log-mode short<br />
log-level 7<br />
iface "extern0" {<br />
ia<br />
pd<br />
}<br />
<br />
and for wide-dhcpv6 edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
interface extern0 {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
prefix-interface intern0 {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
To enable/start wide-dhcpv6 client use the command<br />
# systemctl enable/start dhcpv6c@extern0.service<br />
<br />
Because the IPv6 prefix is now dynamic, we need to change radvd to advertize any subnet instead of specific ones. With this configuration radvd will pick any /64 prefix available on the internal interface and propagate SLAAC IPv6s to the clients. Simply change {{ic|/etc/radvd.conf}} to<br />
<br />
interface intern0 {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
DeprecatePrefix on;<br />
};<br />
};<br />
<br />
====PPPoE and IPv6====<br />
If your ISP provides IPv6 via PPPoE you can enable it in your pppoe netctl profile. Just add this to pppoe netctl profile<br />
<br />
PPPoEIP6=yes<br />
<br />
and restart it. Also you must change any {{ic|extern0}} references to the configuration files above to {{ic|ppp0}} instead since IPv6 is assigned to ppp pseudo-interface instead of a real ethernet interface. Please note, that depending on your modem IPv6 might not be available through half-bridge so switch to full RFC1483 bridging instead.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268571Router2013-07-28T09:23:09Z<p>Foucault: /* IP configuration */ Some information about CIDR</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range. For example /27 will give you 10.0.0.1 to 10.0.0.30. You can find many CIDR calculators online.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268478Router2013-07-28T00:19:47Z<p>Foucault: /* IP configuration */ ic blocks for config files</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* {{ic|/etc/netctl/extern0-profile}}<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* {{ic|/etc/netctl/intern0-profile}}<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268477Router2013-07-28T00:18:25Z<p>Foucault: Removed the out of date flag.</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268476Router2013-07-28T00:17:57Z<p>Foucault: /* ADSL connection */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection/PPPoE==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268475Router2013-07-28T00:17:40Z<p>Foucault: /* IP configuration */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you '''do not need''' to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268474Router2013-07-28T00:16:12Z<p>Foucault: /* Persistent naming */ Systemd autoconfigures interface names</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming and Interface renaming===<br />
Systemd automatically chooses unique interface names for all your interfaces. These are persistent and will not change when you reboot. If you would like to rename interface to user friendlier names read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you do not need to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268473Router2013-07-28T00:12:28Z<p>Foucault: /* Conventions */ Change eth0 to systemd names</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name enp2s0, enp1s1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name enp2s0, enp1s1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you do not need to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268471Router2013-07-28T00:10:39Z<p>Foucault: /* IP configuration */ Add a notice for PPPoE connections</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
{{Note|If you will be connecting to the Internet only via PPPoE (you have one WAN port) you do not need to setup or enable the extern0-profile. See below for more information on configuring PPPoE.}}<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268470Router2013-07-28T00:08:13Z<p>Foucault: /* ADSL connection */ More pppoe details</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
It should be noted that if you use only PPPoE to connect to the internet (ie. you do not have other WAN port, except for the one that connects to your modem) you do not need to set up the extern0-profile as our external pseudo-interface will be ppp0.<br />
<br />
===PPPoE configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration choose the interface that connects to the modem. If you only connect to the internet through PPPoE this will probably be '''extern0'''. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268469Router2013-07-28T00:03:45Z<p>Foucault: /* ADSL connection */ Use netctl for managing pppoe</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though (either half-bridge or RFC1483), otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===pppoe configuration===<br />
You can use netctl to setup the pppoe connection. To get started<br />
# cp /etc/netctl/examples/pppoe /etc/netctl/<br />
and start editing. For the interface configuration option use the same interface defined in '''intern0-profile'''. In our case 'intern0'. Fill in the rest of the fields with your ISP information. See the pppoe section in netctl.profile man page for more information on the fields.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268468Router2013-07-28T00:00:49Z<p>Foucault: /* IP configuration */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Interface=extern0<br />
Connection=ethernet<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Router&diff=268467Router2013-07-27T23:56:56Z<p>Foucault: /* IP configuration */ Updated information for netctl</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, {{ic|/var}}, {{ic|/tmp}} and {{ic|/home}} should be separate from the {{ic|/}} partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. {{ic|/var}} should be the largest partition—it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting {{ic|/tmp}} as {{ic|tmpfs}} is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that {{ic|/tmp}} is mounted as {{ic|tmpfs}} by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netctl]] profiles. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Description='Public Interface.'<br />
Connection=ethernet<br />
INTERFACE=extern0<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Description='Private Interface'<br />
Interface=intern0<br />
Connection=ethernet<br />
IP='static'<br />
Address=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the CIDR suffix to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces with netctl.<br />
# netctl enable extern0-profile<br />
# netctl enable intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites. To get it, [[Pacman | install]] {{Pkg|dnsmasq}} from the [[official repositories]].<br />
<br />
Dnsmasq needs to be configured to be a DHCP server. To do this:<br />
<br />
Edit {{ic|/etc/dnsmasq.conf}}:<br />
<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# systemctl start dnsmasq.service<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
See [[Shorewall]] for Shorewall configuration.<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] or [[Privoxy]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=Installation_guide&diff=213940Installation guide2012-07-22T11:26:41Z<p>Foucault: /* Format partitions */</p>
<hr />
<div>[[Category:Getting and installing Arch]]<br />
[[fr:Arch_install_scripts]]<br />
The Arch Install Scripts are a set of [[Bash]] scripts that simplify Arch installation. This article summarizes a basic install process using these scripts.<br />
<br />
== Partition disks ==<br />
There are many utilities to use for the partitioning of disks such as {{ic|fdisk}}, {{ic|parted}}, {{ic|cfdisk}} etc. Pick one you are most familiar with.<br />
Remember to create any stacked block devices like [[lvm|LVM]], [[Dm-crypt_with_LUKS|LUKS]], or [[RAID|RAID]].<br />
<br />
== Format partitions ==<br />
{{ic|mkfs}} is a nice utility for formatting the partitions into filesystems of your choosing. By typing {{ic|mkfs}} and hitting {{ic|Tab}} you will see all the available choices.<br />
For example let's say we created three partitions {{ic|sda1}}, {{ic|sda2}} and {{ic|sda3}}. The corresponding commands can be found in the table below.<br />
{| class="wikitable"<br />
|-<br />
! scope="col"| Partition<br />
! scope="col"| Mountpoint<br />
! scope="col"| mkfs command<br />
|-<br />
| align="center"|{{ic|/dev/sda1}}<br />
| align="left"|{{ic|/boot}}<br />
| align="center"|{{ic|mkfs.ext4 /dev/sda1}}<br />
|-<br />
| align="center"|{{ic|/dev/sda2}}<br />
| align="left"|{{ic| /}}<br />
| align="center"|{{ic|mkfs.ext4 /dev/sda2}}<br />
|-<br />
| align="center"|{{ic|/dev/sda3}}<br />
| align="left"|{{ic|/home}}<br />
| align="center"|{{ic|mkfs.ext4 /dev/sda3}}<br />
|}<br />
<br />
If you are using (U)EFI you will most probably need another partition to host the UEFI System partition. Read [[Unified_Extensible_Firmware_Interface#Create_an_UEFI_System_Partition_in_Linux|this article]].<br />
<br />
== Mount the partitions ==<br />
Given the above example, we now must mount the root partition on {{ic|/mnt}}.<br />
# mount /dev/sda2 /mnt<br />
<br />
Next we create directories for any other partitions into {{ic|/mnt}} and then we mount them.<br />
<br />
# mkdir /mnt/boot && mount /dev/sda1 /mnt/boot<br />
<br />
Same with {{ic|/home}}<br />
<br />
# mkdir /mnt/home && mount /dev/sda3 /mnt/home<br />
<br />
== Connect to the internet ==<br />
Assuming a wired connection, running {{ic|dhcpcd}} is sufficient to get a lease. For more info visit [[configuring network]].<br />
<br />
== Install the base system ==<br />
Before installing, you may want to edit {{ic|/etc/pacman.d/mirrorlist}} such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by {{ic|pacstrap}} as well, so it's worth getting it right.<br />
<br />
Using the [https://github.com/falconindy/arch-install-scripts/blob/master/pacstrap.in pacstrap] script we install the base system.<br />
<br />
# pacstrap /mnt base{,-devel} <br />
<br />
One can install other packages appending their names to the above command (space seperated). <br />
<br />
== Install a bootloader ==<br />
* [[Syslinux|Syslinux]]<br />
<br />
# pacstrap /mnt syslinux<br />
<br />
* [[Grub2|Grub]]<br />
<br />
** For BIOS<br />
<br />
# pacstrap /mnt grub-bios<br />
<br />
** For EFI (in rare cases you will need {{ic|grub-efi-i386}} instead)<br />
<br />
# pacstrap /mnt grub-efi-x86_64<br />
<br />
== Configure system ==<br />
Generate an [[fstab]] with the following command. (If you prefer to use UUIDs or labels, add the -U -or -L option, respectively.)<br />
# genfstab -p /mnt >> /mnt/etc/fstab<br />
Next we [[chroot]] into our newly installed system.<br />
# arch-chroot /mnt<br />
<br />
* Write your hostname to {{ic|/etc/hostname}}.<br />
* Symlink {{ic|/etc/localtime}} to {{ic|/usr/share/zoneinfo/Zone/SubZone}}. Replace {{ic|Zone}} and {{ic|Subzone}} to your liking. For example<br />
<br />
# ln -s /usr/share/zoneinfo/Europe/Athens /etc/localtime<br />
<br />
* You may want to add [https://wiki.archlinux.org/index.php/Locale#Setting_system-wide_locale locale] preferences to {{ic|/etc/rc.conf}} or {{ic|/etc/locale.conf}}.<br />
<br />
* Uncomment your preferred [https://wiki.archlinux.org/index.php/Locale locales] from {{ic|/etc/locale.gen}} and generate them with {{ic|locale-gen}}.<br />
* Configure {{ic|/etc/mkinitcpio.conf}} as needed (see [[mkinitcpio]]) and create an initial ramdisk with<br />
<br />
# mkinitcpio -p linux<br />
<br />
* Configure the bootloader.<br />
<br />
* For syslinux edit the {{ic|/boot/syslinux/syslinux.cfg}} to point to the right {{ic|/boot}} partition. Then type the following command to install (-i), set boot flag (-a) and install mbr (-m).<br />
<br />
# /usr/sbin/syslinux-install_update -iam<br />
<br />
* For GRUB, run<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
** and then (for BIOS)<br />
<br />
# grub-install --recheck /dev/sdX<br />
<br />
** or for EFI<br />
<br />
# grub-install --recheck<br />
<br />
* Set a root password with {{ic|passwd}}.<br />
<br />
== Unmount the things you mounted ==<br />
If you are still in the chroot environment then type {{ic|exit}} or {{ic|Ctrl+D}} in order to exit chroot.<br />
In step 3 we mounted the partitions under {{ic|/mnt}}. In this step we will unmount them. <br />
# umount /mnt/boot<br />
# umount /mnt/home<br />
# umount /mnt<br />
<br />
Finally reboot and configure your system as explained in [[Beginners' Guide/Post-Installation]].</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=210949PKGBUILD (Ελληνικά)2012-06-22T19:31:26Z<p>Foucault: /* changelog */</p>
<hr />
<div>[[Category:About Arch (Ελληνικά)]]<br />
[[Category:Package development (Ελληνικά)]]<br />
[[cs:PKGBUILD]]<br />
[[en:PKGBUILD]]<br />
[[es:PKGBUILD]]<br />
[[fa:PKGBUILD]]<br />
[[fr:PKGBUILD]]<br />
[[pl:PKGBUILD]]<br />
[[pt:PKGBUILD]]<br />
[[sr:PKGBUILD]]<br />
[[zh-CN:PKGBUILD]]<br />
[[zh-TW:PKGBUILD]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Το παρόν άρθρο παρέχει μια επεξήγηση των μεταβλητών του PKGBUILD οί οποίες χρησιμοποιούνται κατά την [[Creating Packages|δημιουργία πακέτων]]. Ενα αρχείο PKGBUILD είναι μια δέσμη εντολών η οποία περιγράφει τον τρόπο με τον οποίο το λογισμικό μεταγλωττίζεται και "συσκευάζεται" σε πακέτο. Η συγγραφή συναρτήσεων εγκατάστασης και οι γενικές πληροφορίες σημιουργίας πακέτων καλύπτονται στο [[Creating Packages]] και σε άλλα [[:Category:Package development|package development]] άρθρα}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Package management overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Arch Packaging Standards}}<br />
{{Article summary wiki|Creating Packages}}<br />
{{Article summary wiki|Custom local repository}}<br />
{{Article summary wiki|pacman Tips}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|PKGBUILD(5) Manual Page|https://www.archlinux.org/pacman/PKGBUILD.5.html}}<br />
{{Article summary end}}<br />
<br />
Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.<br />
<br />
=== epoch ===<br />
Μια ακέραια τιμή, ειδική για το Arch Linux, η οποία υπαγορεύει ως προς ποιό 'χρονικό' πρέπει να συγκριθούν οι αριθμοί έκδοσης. Η τιμή αυτή επιτρέπει την παράκαμψη των συνήθων κανόνων σύγκρισης έκδοσης για πακέτα τα οποία έχουν ασυνεπή αρίθμηση έκδοσης, απαιτούν υποβάθμιση, αλλαγή πλαισίου αρίθμησης, κτλ. Εξ'ορισμού, τα πακέτα θεωρείται πως έχουν τιμή epoch ''0''.Μην χρησιμοποιείτε το πεδίο αυτό εκτός και αν γνωρίζετε τι κάνετε.<br />
<br />
=== pkgdesc ===<br />
Περιγραφή του πακέτου. Η έκταση της περιγραφής πρέπει να είναι το πολύ 80 χαρακτήρες και δεν πρέπει να περιλαμβάνει το όνομα του πακέτου με αυτοαναφορικό τρόπο. Για παράδειγμα, "Το Nedit είναι ένας επεξεργαστής κειμένου για το X11" θα έπρεπε να γραφεί ως "ένας επεξεργαστής κειμένου για το X11."<br />
<br />
{{Note|Μην ακολουθείτε αυτόν τον κανόνα αβίαστα όταν υποβάλετε πακέτα στο [[AUR]]. Εάν το όνομα του πακέτου διαφέρει για κάποιο λόγο, απο το όνομα της εφαρμογής, Η ενσωμάτωση του πλήρους ονόματος στην περιγραφή μπορεί να είναι ο μόνος τρόπος να διασφαλιστεί η εύρεση του πακέτου κατά την αναζήτηση.}}<br />
<br />
=== arch ===<br />
Μια σειρά αρχιτεκτονικών στις οποίες είναι γνωστό ότι το αρχείο {{ic|PKGBUILD}} μπορεί να λειτουργήσει. Προς το παρόν, πρέπει να περιέχει {{ic|i686}} ή/και {{ic|x86_64}}, {{ic|1=arch=('i686' 'x86_64')}}. Η τιμή {{ic|any}} μπορεί να χρησιμοποιηθεί για πακέτα ανεξαρτήτου αρχιτεκτονικής.<br />
<br />
Μπορείτε να προσπελάστε την αρχιτεκτονική του συστήματος που απευθύνεστε με την μεταβλητή {{ic|$CARCH}} κατά την διάρκεια της μεταγλώττισης, ακόμα και κατά τον ορισμό μεταβλητών. Δείτε επίσης {{bug|16352}}. Παράδειγμα:<br />
<br />
depends=(foobar)<br />
if test "$CARCH" == x86_64; then<br />
depends+=(lib32-glibc)<br />
fi<br />
<br />
=== url ===<br />
Η διεύθυνση URL της επίσημης ιστοσελίδας του λογισμικού του οποίου το πακέτο δημιουργείται.<br />
<br />
=== license ===<br />
Η άδεια υπό την οποία διανέμεται το λογισμικό. Το πακέτο {{pkg|licenses}} έχει δημιουργηθεί στην ομάδα πακέτων {{ic|[core]}} το οποίο συγκεντρώνει τις κοινά χρησιμοποιούμενες άδειες στον κατάλογο {{ic|/usr/share/licenses/common}}, π.χ. {{ic|/usr/share/licenses/common/GPL}}. Εάν ενα πακέτο έχει διανεμηθεί υπό μιας εκ των προαναφερθέντων αδειών, η τιμή πρέπει να είναι ίση με το όνομα του καταλόγου, π.χ. {{ic|1=license=('GPL')}}. Εαν η ανάλογη άδεια εμπεριέχεται στο επίσημο πακέτο {{Pkg|licenses}}, πρέπει να ακολουθεί η παρακάτω διαδικασία:<br />
<br />
# Το αρχείο(α) άδειας πρέπει να συμπεριληφθεί στο κατάλογο: {{ic|/usr/share/licenses/''pkgname''/}}, π.χ. {{ic|/usr/share/licenses/foobar/LICENSE}}.<br />
# Αν το πηγαίο αρχείο tarball ΔΕΝ περιέχει τις λεπτομέριες αδείας και η άδεια εμφανίζεται μόνο σε κάποια άλλη τοποθεσία, π.χ. μια ιστοσελίδα, τότε θα πρέπει να αντιγράψετε την άδεια σε ένα αρχείο και να το συμπεριλάβετε.<br />
# Προσθέστε το ενδεικτικό {{ic|custom}} στο πεδίο {{ic|license}}. Προαιρετικά, μπορείτε να αντικαταστήσετε το ενδεικτικό {{ic|custom}} με το {{ic|custom:όνομα αδείας}}. Όταν μια άδεια χρησιμοποιηθεί σε δύο ή περισσότερα πακέτα σε επίσημο repository (συμπεριλαμβανομένου του {{ic|[community]}}), προστίθεται στο πακέτο {{Pkg|licenses}}.<br />
* Οι άδειες [[Wikipedia:BSD License|BSD]], [[Wikipedia:MIT License|MIT]], [[Wikipedia:ZLIB license|zlib/png]] και [[Wikipedia:Python License|Python]] είναι ειδικές περιπτώσεις και δεν ήταν δυνατό να συμπεριληφθούν στο πακέτο {{pkg|licenses}}. για την διατήρηση της απλότητας του πεδίου {{ic|license}}, αντιμετωπίζονται σαν κοινή άδεια ({{ic|1=license=('BSD')}}, {{ic|1=license=('MIT')}}, {{ic|1=license=('ZLIB')}} και {{ic|1=license=('Python')}}) αλλά τεχνικά μιλώντας, κάθε μια είναι μια κοινή άδεια διότι κάθε μια ακολουθεί την δική της γραμμή πνευματικών δικαιωμάτων. Οποιαδήποτε πακέτα έχουν αδειοδοτηθεί υπό μια εκ των τεσσάρων αδειών θα πρέπει να έχουν την δική τους μοναδική άδεια αποθηκευμένη στον κατάλογο {{ic|/usr/share/licenses/''pkgname''}}. Κάποια πακέτα μπορεί να μην καλύπτονται απο μια και μόνο άδεια. Σε αυτές τις περιπτώσεις, μπορούν να γίνουν πολλαπλές καταχωρήσεις στο πεδίο license, π.χ. {{ic|1=license=('GPL' 'custom:όνομα αδείας')}}.<br />
* Επιπροσθέτως, η (L)GPL έχει πολλές εκδόσεις και παραλλαγές αυτών. Όσον αφορά το λογισμικό (L)GPL, η σύμβαση είναι:<br />
** (L)GPL - (L)GPLv2 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
** (L)GPL2 - (L)GPL2 μόνο<br />
** (L)GPL3 - (L)GPL3 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
* Εάν έπειτα από διερεύνηση του θέματος δεν μπορεί να προσδιοριστεί κάποια άδεια, το {{ic|PKGBUILD.proto}} προτείνει την χρήση του ενδεικτικού {{ic|unknown}}. Παρόλα αυτά, το upstream πρέπει να ειδοποιηθεί για τους όρους υπό τους οποίους το λογισμικό είναι ( και δεν είναι) διαθέσιμο.<br />
<br />
{{Tip|Μερικοί προγραμματιστές δεν παρέχουν ξεχωριστο αρχείο και περιγράφουν τους όρους διαμοιρασμού σε τμήμα του κοινώς χρησιμοποιούμενου αρχείου ReadMe.txt. Οι πληροφορίες αυτές μπορουν να εξαχθουν σε ξεχωριστό αρχείο κατά την διάρκεια της φάσης {{Ic|μεταγλώττισης}} με την χρήση άνάλογης εντολής με την: {{Ic|sed -n '/'''This software'''/,/''' thereof.'''/p' ReadMe.txt > LICENSE}}.}}<br />
<br />
=== groups ===<br />
Η ομάδα στη οποία ανήκει το πακέτο. Για παράδειγμα, όταν εγκαταστήσετε το πακέτο {{Pkg|kdebase}}, εγκαθίστανται όλα τα πακέτα τα οποία ανήκουν στην ομάδα {{Grp|kde}.<br />
<br />
=== depends ===<br />
Μια σειρά ονομάτων πακέτων τα ιποία πρέπει να εγκατασταθούν πριν να μπορέσει το εν λόγω λογισμικό να εκτελεστεί. Αν κάποιο λογισμικό απαιτεί την ύπαρξη μιας ελάχιστης έκδοσης κάποιας εξάρτησης, ο τελεστής {{ic|1=>=}} θα πρέπει να χρησιμοποιηθεί για να υποδείξει αυτήν την απαίτηση, π.χ. {{ic|1=depends=('foobar>=1.8.0')}}. δεν χρειάζεται να παραθέσετε τα πακέτα απο τα οποία εξαρτάται το λογισμικό σας εάν άλλα πακέτα από τα οποία εξαρτάται το λογισμικό σας έχουν ήδη ορίσει τα πακέτα αυτά ως εξαρτήσεις τους. Επί παραδείγματι, το πακέτο {{pkg|gtk2}} εξαρτάται από το πακέτο {{pkg|glib2}} και το πακέτο {{pkg|glibc}}. Όμως, το πακέτο {{pkg|glibc}} δεν χρειάζεται να παρατεθεί ως εξάρτηση για το πακέτο {{pkg|gtk2}} διότι είναι μια εκ των εξαρτήσεων του πακέτου {{pkg|glib2}}.<br />
<br />
===makedepends===<br />
Μια σειρά ονομάτων πακέτων τα οποία πρέπει να εγκατασταθούν για να είναι δυνατή η μεταγλώττιση του λογισμικού αλλά δεν είναι απαραίτητα για την χρήση του μετά την εγκατάσταση. Μπορείτε να ορίσετε την ελάχιστη έκδοση εξάρτησης των πακέτων με τον ίδιο τρόπο που περιγράφηκε στην παράγραφο {{ic|depends}}.<br />
<br />
{{Warning|Η ομάδα πακέτων {{Grp|base-devel}} θεωρείται εγκατεστημένη κατά την μεταγλώττιση με το makepkg . Τα μέλη της ομάδας πακέτων "base-devel" '''δεν θα πρέπει''' να συμπεριλαμβάνονται στο πεδίο {{ic|makedepends}}}}<br />
<br />
=== checkdepends ===<br />
Μια σειρά πακέτων από τα οποία εξαρτάται το εν λόγω πακέτο ώστε να εκτελέσει την σειρά δοκιμών του τα οποία όμως δεν χρειάζονται κατά την κανονική εκτέλεση. Τα πακέτα που παραθέτονται σε αυτή την λίστα ακολουθούν το ίδιο πρότυπο με το πεδίο depends. Αυτές οι εξαρτήσεις λαμβάνονται υπόψη μόνο όταν η συνάρτηση [[Creating Packages#The check() function|check()]] είναι παρούσα και πρόκειται να εκτελεστεί από το makepkg.<br />
<br />
=== optdepends ===<br />
Μια σειρά ονομάτων πακέτων τα οποία δεν χρειάζονται για την λειτουργικότητα του λογισμικού αλλά παρέχουν επιπρόσθετα χαρακτηριστικά. Μια σύντομη περιγραφή του τι παρέχει το κάθε πακέτο πρέπει επίσης να σημειωθεί. Ένα πεδίο {{ic|optdepends}} μπορεί να έχει την εξής μορφή:<br />
optdepends=('cups: printing support'<br />
'sane: scanners support'<br />
'libgphoto2: digital cameras support'<br />
'alsa-lib: sound support'<br />
'giflib: GIF images support'<br />
'libjpeg: JPEG images support'<br />
'libpng: PNG images support')<br />
<br />
=== provides ===<br />
Μια σειρά ονομάτων πακέτων (ή ενα εικονικό πακέτο όπως το {{Ic|cron}} η το {{Ic|sh}}) των οποίων τα χαρακτηριστικά παρέχει το τρέχον πακέτο. Πακέτα τα οποία παρέχουν τα ίδια πράγματα μπορούν να εγκατασταθούν ταυτόχρονα εκτός εάν συγκρούονται μεταξύ τους (δείτε παρακάτω). Εάν χρησιμοποιήσετε την μεταβλητή αυτή, θα πρέπει να προσθέσετε την έκδοση ({{ic|pkgver}} και ίσως την {{ic|pkgrel}}) την οποία θα παράσχει αυτό το πακέτο εαν οι εξαρτήσεις επηρρεαζονται από αυτό. Για παράδειγμα, Αν παρέχετε μια προσαρμοσμένη έκδοση του πακέτου ''qt'' με όνομα ''qt-foobar'' έκδοση 3.3.8 η οποία παρέχει το πακέτο ''qt'' τότε το πεδίο {{ic|provides}} θα πρέπει να είναι κάπως έτσι {{ic|1=provides=('qt=3.3.8')}}. Εαν χρησιμοποιούσαμε το {{ic|1=provides=('qt')}} θα αποτύγχαναν να ικανοποιηθούν εκείνες οι εξαρτήσεις οι οποίες απαιτούν μια συγκεκριμένη έκδοση του ''qt''. Μην προσθέσετε το πεδίο {{ic|pkgname}} στο πεδίο provides , διότι γίνεται αυτόματα.<br />
<br />
=== conflicts ===<br />
Μία σειρά ονομάτων πακέτων τα οποία μπορεί να δημιουργήσουν προβλήματα με το τρέχον πακέτο εάν εγκατασταθεί. Το Πακέτο με αυτό το όνομα και όλα τα πακέτα που {{Ic|παρέχει}} όπως εκονικά πακέτα με αυτό το όνομα, θα αφαιρεθούν. Μπορείτε να ορίσετε τις ιδιότητες έκδοσης των συγκρουόμενων πακέτων όπως και στο πεδίο {{ic|depends}}.<br />
<br />
=== replaces ===<br />
Μια σειρά παρωχημένων ονομάτων πακέτων τα οποία αντικαθίστανται από το τρέχον πακέτο, π.χ. {{ic|1=replaces=('ethereal')}} αντικαθίσταται με το πακέτο {{pkg|wireshark}}. μετά τον συγχρονισμό η εντολή {{ic|pacman -Sy}}, θα αντικαταστήσει άμεσα ένα εγκατεστημένο πακέτο μόλις εντοπίσει κάποιο άλλο πακέτο με την κατάλληλη ετικέτα {{ic|replaces}} στα αποθετήρια. Αν παρέχετε μια εναλλακτική έκδοση για ένα ήδη υπάρχον ένα άλλο πακέτο, Χρησιμοποιείστε την μεταβλητή {{ic|conflicts}} η οποία λαμβάνεται υπόψη μόνο κατά την εγκατάσταση του συγκρουόμενου πακέτου.<br />
<br />
=== backup ===<br />
Μια σειρά αρχείων τα οποία περιέχουν τροποποιήσεις των χρηστών του συστήματος και θα πρέπει να διατηρηθούν κατά την αναβάθμιση η την απομάκρυνση ενός πακέτου, αποσκοπεί κυρίως σε αρχεία ρυθμίσεων στον κατάλογο {{ic|/etc}}.<br />
<br />
Κατά την αναβάθμιση, η νέα έκδοση μπορεί να αποθηκευτεί ως {{ic|file.pacnew}} ώστε να αποφευχθεί η αντικατάσταση ενός αρχείου που υπάρχει ήδη και έχει τροποποιηθεί απο τον χρήστη. Ομοίως, όταν το πακέτο απομακρύνεται, το τροποποιημένο από το χρήστη αρχείο θα διατηρηθεί ως {{ic|file.pacsave}} εκτός και αν το πακέτο απομακρύνθηκε με την εντολή {{ic|pacman -Rn}}. <br />
<br />
Οι διαδρομές των αρχείων σε αυτό το πεδίο θα πρέπει να είναι σχετικές διαδρομές (π.χ. {{ic|etc/pacman.conf}}) και όχι απόλυτες (π.χ. {{ic|/etc/pacman.conf}}). Δείτε επίσης [[Pacnew and Pacsave Files]].<br />
<br />
=== options ===<br />
Αυτό το πεδίο σας επιτρέπει να παρακάμψετε ένα μέρος της προκαθορισμένης συμπεριφοράς του makepkg, ορισμένη στο αρχείο /etc/makepkg.conf. Για να ορίσετε μια επιλογή, προσθέστε το όνομα της επιλογής στο πεδίο. Για να αντιστρέψετε την προκαθορισμένη επιλογή , εισάγετε ένα ! στην αρχή της επιλογής. Οι ακόλουθες επιλογές μπορούν να προστεθούν στο πεδίο:<br />
<br />
* '''''strip''''' - Αφαιρεί σύμβολα από εκτελέσιμα αρχεία και βιβλιοθήκες. Αν χρησιμοποιείτε συχνά έναν εντοπιστή σφαλμάτων σε προγράμματα η βιβλιοθήκες, ίσως είναι σκόπιμο να απενεργοποιήσετε την επιλογή αυτή.<br />
* '''''docs''''' - Αποθηκεύει καταλόγους {{ic|/doc}}.<br />
* '''''libtool''''' - Διατηρεί τα αρχεία ''libtool'' ({{ic|.la}}) στα πακέτα.<br />
* '''''emptydirs''''' - Διατηρεί τους κενούς καταλόγους στα πακέτα.<br />
* '''''zipman''''' - Συμπιέζει τις σελίδες ''man'' και ''info'' με την εφαρμογή ''gzip''.<br />
* '''''ccache''''' - Επιτρέπει την χρήση {{ic|ccache}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!ccache}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|ccache}} ενεργή.<br />
* '''''distcc''''' - Επιτρέπει την χρήση {{ic|distcc}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!distcc}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|distcc}} ενεργή.<br />
* '''''buildflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|buildflags}} (CFLAGS, CXXFLAGS, LDFLAGS) κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!buildflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|buildflags}}.<br />
* '''''makeflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|makeflags}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!makeflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|makeflags}}.<br />
<br />
=== install ===<br />
Το όνομα της δέσμης εντολών {{ic|.install}} η οποία θα συμπεριληφθεί στο πακέτο. Το pacman έχει την δυνατότητα να αποθηκεύει και να εκτελεί μια δέσμη εντολών ανά πακέτο κατά την εγκατάσταση, την απομάκρυνση η την αναβάθμιση ενός πακέτου. Η δέσμη εντολών περιέχει τις ακόλουθες συναρτήσεις οι οποίες εκτελούνται σε διάφορες χρονικές στιγμές:<br />
<br />
* '''''pre_install''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν εξαχθούν τα αρχεία. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''post_install''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την εξαγωγή των αρχείων. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''pre_upgrade''''' - Η δέσμη εντολών εκτελείται πρίν εξαχθούν τα αρχεία. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''post_upgrade''''' - Η δέσμη εντολών εκτελείται μετά την εξαγωγή των αρχείων. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''pre_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν απομακρυνθούν τα αρχεία. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
* '''''post_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την απομάκρυνση των αρχείων. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
<br />
Κάθε συνάρτηση εκτελείται υπό αλλάγή ριζικού καταλόγου (chroot) μέσα στον κατάλογο εγκατάστασης του pacman. Δείτε [https://bbs.archlinux.org/viewtopic.php?pid=913891 το νήμα].<br />
<br />
{{Tip|Ένα πρότυπο αρχείο {{ic|.install}} παρέχεται στην διαδρομή {{ic|/usr/share/pacman/proto.install}}.}}<br />
<br />
=== changelog ===<br />
Το όνομα του αρχείου καταγραφής αλλάγών του πακέτου. Για να δείτε το αρχείο καταγραφής εγκατεστημένων πακέτων (δεδομένου οτι παρέχουν τέτοιο αρχείο):<br />
pacman -Qc ''pkgname''<br />
<br />
{{Tip|Ένα πρότυπο αρχείου κατάγραφής αλλαγών παρέχεται στην διαδρομή {{ic|/usr/share/pacman/ChangeLog.proto}}}}<br />
<br />
=== source ===<br />
Μια σειρά αρχείων τα οποία χρειάζονται για την δημιουργία του πακέτου. Πρέπει να περιέχει την τοποθεσία των πηγαίων αρχείων του λογισμικού, τα οποία συνήθως βρίσκονται σε μια πλήρη διεύθυνση HTTP ή FTP. Οι μεταβλητές που ορίστηκαν προηγουμένως {{ic|pkgname}} και {{ic|pkgver}} μπορούν να χρησιμοποιηθούν εδώ (π.χ. {{ic|<nowiki>source=(http://example.com/$pkgname-$pkgver.tar.gz)</nowiki>}})<br />
<br />
{{Note|Αν πρέπει να παράσχετε αρχεία τα οποία δεν είναι άμεσα διαθέσιμα προς μεταφόρτωση, π.χ. ιδιόχειρες διορθώσεις, απλά τοποθετήστε τα στον ίδιο κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}} και προσθέστε το όνομα αρχείου στο πεδίο αυτό. Οποιεσδήποτε διαδρομές προστεθούν εδώ επιλύονται σε σχέση με τον κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}}. Πριν ξεκινήσει η πραγματική διαδικασία δημιουργίας του πακέτου, όλα τα αρχεία που αναφέρονται στο πεδίο αυτό θα μεταφορτωθούν ή θα ελεγχθεί η ύπαρξη τους, και το {{ic|makepkg}} δεν θα συνεχίσει εάν λείπουν.}}<br />
<br />
{{Tip|Μπορείτε να ορίσετε κάποιο διαφορετικό όνομα για το αρχείο που μεταφορτώθηκε - Αν το αρχείο που μεταφορτώθηκε για κάποιο λόγο έχει διαφορετικό όνομα όπως, το URL να έχει μια GET παράμετρο - ακολουθώντας την παρακάτω σύνταξη: {{Ic|''filename''::''fileuri''}}, για παράδειγμα {{Ic|$pkgname-$pkgver.zip::<nowiki>http://199.91.152.193/7pd0l2tpkidg/jg2e1cynwii/Warez_collection_16.4.exe</nowiki>}}}}<br />
<br />
=== noextract ===<br />
Μια σειρά αρχείων τα οποία παραθέτονται στο πεδίο {{ic|source}}, δεν πρέπει να εξαχθούν από την συμπιεσμένη τους μορφή με το {{ic|makepkg}}. Εφαρμόζεται κυρίως σε συγκεκριμένα αρχεία zip τα οποία δεν μπορεί να χειριστεί το {{ic|/usr/bin/bsdtar}} διότι το {{Pkg|libarchive}} αντιμετωπίζει όλα τα αρχεία ως ροές σε αντίθεση με το {{Pkg|unzip}} που ακολουθεί την λογική της τυχαίας προσπέλασης. Σε αυτές τις περιπτώσεις το {{ic|unzip}} πρέπει να παρατίθεται στο πεδίο {{ic|makedepends}} και η πρώτη γραμμή της συνάρτησης [[Creating Packages#The build() function|build()]] πρέπει να περιέχει:<br />
<br />
cd "$srcdir/$pkgname-$pkgver"<br />
unzip [source].zip<br />
<br />
Ας σημειωθεί ότι ενώ το πεδίο {{ic|source}} δέχεται URLs, το {{ic|noextract}} αντιπροσωπεύει '''απλά''' το κομμάτι του ονόματος αρχείου . Επί παραδείγματι, θα κάνατε κάτι σαν αυτό (απλοποιημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/grub2&id=f054e33a0b5cbdfe7d81e91a8c4c807a9bfaa124 PKGBUILD] του grub2 ):<br />
<br />
source=(<nowiki>"http://ftp.archlinux.org/other/grub2/grub2_extras_lua_r20.tar.xz"</nowiki>)<br />
noextract=("grub2_extras_lua_r20.tar.xz")<br />
<br />
Για να μην εξάγετε ''τίποτα'', μπορείτε να κάνετε κάτι έξυπνο όπως (υιοθετημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox-i18n&id=cb10a40aeda9b444285d1ae6959c344110b4c936 firefox-i18n]):<br />
<br />
noextract=(${source[@]##*/})<br />
<br />
{{Note|Μια πιο συντηρητική υποκατάσταση Bash θα περιελάμβανε εισαγωγικά, η πιθανώς ένα βρόγχο ο οποίος καλεί την {{ic|basename}}. Εάν έχετε διαβάσει ως εδώ θα πρέπει να αντιλαμβάνεστε το νόημα.}}<br />
<br />
=== md5sums ===<br />
Μια σειρά από MD5 checksums των αρχείων που παραθέτονται στο πεδίο {{ic|source}}. Μόλις όλα τα αρχεία του πεδίου {{ic|source}} είναι διαθέσιμα, Ενα MD5 hash για κάθε αρχείο θα παραχθεί αυτόματα και θα συγκριθεί με τις τιμές αυτού του πεδίου μετην ίδια σειρά που εμφανίζονται στο πεδίο {{ic|source}}. Ενώ η σειρά των πηγαίων αρχείων δεν έχει σημασία, είναι σημαντικό να ακoλουθεί την σειρά αυτού του πεδίου μιας και το {{ic|makepkg}} δεν μπορεί να μαντέψει ποιό checksum ανήκει σε ποιό πηγαίο αρχείο. Μπορείτε γρήγορα και εύκολα να παράγετε τις τιμές του πεδίου αυτού εκτελώντας την εντολή {{ic|makepkg -g}} στον κατάλογο τον οποίο βρίσκεται το αρχείο {{ic|PKGBUILD}}. Ας σημειωθεί ότι ο αλγόριθμος MD5 έχει γνωστές αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού.<br />
<br />
=== sha1sums ===<br />
Μια σειρά από SHA-1 160-bit checksums. Αποτελεί εναλλακτικό των {{ic|md5sums}} που περιγράφονται παραπάνω, όμως είναι επίσης γνωστό ότι έχει αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες {{ic|man makepkg.conf}}.<br />
<br />
=== sha256sums, sha384sums, sha512sums ===<br />
Μια σειρά από SHA-2 checksums με ακολουθίες των 256, 384 και 512 bits αντίστοιχα. Αποτελούν εναλλακτικές των {{ic|md5sums}} που περιγράφηκαν παραπάνω και γενικά πιστεύεται ότι είναι ισχυρότερες. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες man {{ic|man makepkg.conf}}.<br />
<br />
== Δείτε επίσης ==<br />
*[http://pastebin.com/MeXiLDV9 Υπόδειγμα αρχείου PKGBUILD]<br />
*[http://seberm.pastebin.com/gP0tBqvs Υπόδειγμα αρχείου .install]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=210948PKGBUILD (Ελληνικά)2012-06-22T19:31:15Z<p>Foucault: /* changelog */</p>
<hr />
<div>[[Category:About Arch (Ελληνικά)]]<br />
[[Category:Package development (Ελληνικά)]]<br />
[[cs:PKGBUILD]]<br />
[[en:PKGBUILD]]<br />
[[es:PKGBUILD]]<br />
[[fa:PKGBUILD]]<br />
[[fr:PKGBUILD]]<br />
[[pl:PKGBUILD]]<br />
[[pt:PKGBUILD]]<br />
[[sr:PKGBUILD]]<br />
[[zh-CN:PKGBUILD]]<br />
[[zh-TW:PKGBUILD]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Το παρόν άρθρο παρέχει μια επεξήγηση των μεταβλητών του PKGBUILD οί οποίες χρησιμοποιούνται κατά την [[Creating Packages|δημιουργία πακέτων]]. Ενα αρχείο PKGBUILD είναι μια δέσμη εντολών η οποία περιγράφει τον τρόπο με τον οποίο το λογισμικό μεταγλωττίζεται και "συσκευάζεται" σε πακέτο. Η συγγραφή συναρτήσεων εγκατάστασης και οι γενικές πληροφορίες σημιουργίας πακέτων καλύπτονται στο [[Creating Packages]] και σε άλλα [[:Category:Package development|package development]] άρθρα}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Package management overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Arch Packaging Standards}}<br />
{{Article summary wiki|Creating Packages}}<br />
{{Article summary wiki|Custom local repository}}<br />
{{Article summary wiki|pacman Tips}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|PKGBUILD(5) Manual Page|https://www.archlinux.org/pacman/PKGBUILD.5.html}}<br />
{{Article summary end}}<br />
<br />
Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.<br />
<br />
=== epoch ===<br />
Μια ακέραια τιμή, ειδική για το Arch Linux, η οποία υπαγορεύει ως προς ποιό 'χρονικό' πρέπει να συγκριθούν οι αριθμοί έκδοσης. Η τιμή αυτή επιτρέπει την παράκαμψη των συνήθων κανόνων σύγκρισης έκδοσης για πακέτα τα οποία έχουν ασυνεπή αρίθμηση έκδοσης, απαιτούν υποβάθμιση, αλλαγή πλαισίου αρίθμησης, κτλ. Εξ'ορισμού, τα πακέτα θεωρείται πως έχουν τιμή epoch ''0''.Μην χρησιμοποιείτε το πεδίο αυτό εκτός και αν γνωρίζετε τι κάνετε.<br />
<br />
=== pkgdesc ===<br />
Περιγραφή του πακέτου. Η έκταση της περιγραφής πρέπει να είναι το πολύ 80 χαρακτήρες και δεν πρέπει να περιλαμβάνει το όνομα του πακέτου με αυτοαναφορικό τρόπο. Για παράδειγμα, "Το Nedit είναι ένας επεξεργαστής κειμένου για το X11" θα έπρεπε να γραφεί ως "ένας επεξεργαστής κειμένου για το X11."<br />
<br />
{{Note|Μην ακολουθείτε αυτόν τον κανόνα αβίαστα όταν υποβάλετε πακέτα στο [[AUR]]. Εάν το όνομα του πακέτου διαφέρει για κάποιο λόγο, απο το όνομα της εφαρμογής, Η ενσωμάτωση του πλήρους ονόματος στην περιγραφή μπορεί να είναι ο μόνος τρόπος να διασφαλιστεί η εύρεση του πακέτου κατά την αναζήτηση.}}<br />
<br />
=== arch ===<br />
Μια σειρά αρχιτεκτονικών στις οποίες είναι γνωστό ότι το αρχείο {{ic|PKGBUILD}} μπορεί να λειτουργήσει. Προς το παρόν, πρέπει να περιέχει {{ic|i686}} ή/και {{ic|x86_64}}, {{ic|1=arch=('i686' 'x86_64')}}. Η τιμή {{ic|any}} μπορεί να χρησιμοποιηθεί για πακέτα ανεξαρτήτου αρχιτεκτονικής.<br />
<br />
Μπορείτε να προσπελάστε την αρχιτεκτονική του συστήματος που απευθύνεστε με την μεταβλητή {{ic|$CARCH}} κατά την διάρκεια της μεταγλώττισης, ακόμα και κατά τον ορισμό μεταβλητών. Δείτε επίσης {{bug|16352}}. Παράδειγμα:<br />
<br />
depends=(foobar)<br />
if test "$CARCH" == x86_64; then<br />
depends+=(lib32-glibc)<br />
fi<br />
<br />
=== url ===<br />
Η διεύθυνση URL της επίσημης ιστοσελίδας του λογισμικού του οποίου το πακέτο δημιουργείται.<br />
<br />
=== license ===<br />
Η άδεια υπό την οποία διανέμεται το λογισμικό. Το πακέτο {{pkg|licenses}} έχει δημιουργηθεί στην ομάδα πακέτων {{ic|[core]}} το οποίο συγκεντρώνει τις κοινά χρησιμοποιούμενες άδειες στον κατάλογο {{ic|/usr/share/licenses/common}}, π.χ. {{ic|/usr/share/licenses/common/GPL}}. Εάν ενα πακέτο έχει διανεμηθεί υπό μιας εκ των προαναφερθέντων αδειών, η τιμή πρέπει να είναι ίση με το όνομα του καταλόγου, π.χ. {{ic|1=license=('GPL')}}. Εαν η ανάλογη άδεια εμπεριέχεται στο επίσημο πακέτο {{Pkg|licenses}}, πρέπει να ακολουθεί η παρακάτω διαδικασία:<br />
<br />
# Το αρχείο(α) άδειας πρέπει να συμπεριληφθεί στο κατάλογο: {{ic|/usr/share/licenses/''pkgname''/}}, π.χ. {{ic|/usr/share/licenses/foobar/LICENSE}}.<br />
# Αν το πηγαίο αρχείο tarball ΔΕΝ περιέχει τις λεπτομέριες αδείας και η άδεια εμφανίζεται μόνο σε κάποια άλλη τοποθεσία, π.χ. μια ιστοσελίδα, τότε θα πρέπει να αντιγράψετε την άδεια σε ένα αρχείο και να το συμπεριλάβετε.<br />
# Προσθέστε το ενδεικτικό {{ic|custom}} στο πεδίο {{ic|license}}. Προαιρετικά, μπορείτε να αντικαταστήσετε το ενδεικτικό {{ic|custom}} με το {{ic|custom:όνομα αδείας}}. Όταν μια άδεια χρησιμοποιηθεί σε δύο ή περισσότερα πακέτα σε επίσημο repository (συμπεριλαμβανομένου του {{ic|[community]}}), προστίθεται στο πακέτο {{Pkg|licenses}}.<br />
* Οι άδειες [[Wikipedia:BSD License|BSD]], [[Wikipedia:MIT License|MIT]], [[Wikipedia:ZLIB license|zlib/png]] και [[Wikipedia:Python License|Python]] είναι ειδικές περιπτώσεις και δεν ήταν δυνατό να συμπεριληφθούν στο πακέτο {{pkg|licenses}}. για την διατήρηση της απλότητας του πεδίου {{ic|license}}, αντιμετωπίζονται σαν κοινή άδεια ({{ic|1=license=('BSD')}}, {{ic|1=license=('MIT')}}, {{ic|1=license=('ZLIB')}} και {{ic|1=license=('Python')}}) αλλά τεχνικά μιλώντας, κάθε μια είναι μια κοινή άδεια διότι κάθε μια ακολουθεί την δική της γραμμή πνευματικών δικαιωμάτων. Οποιαδήποτε πακέτα έχουν αδειοδοτηθεί υπό μια εκ των τεσσάρων αδειών θα πρέπει να έχουν την δική τους μοναδική άδεια αποθηκευμένη στον κατάλογο {{ic|/usr/share/licenses/''pkgname''}}. Κάποια πακέτα μπορεί να μην καλύπτονται απο μια και μόνο άδεια. Σε αυτές τις περιπτώσεις, μπορούν να γίνουν πολλαπλές καταχωρήσεις στο πεδίο license, π.χ. {{ic|1=license=('GPL' 'custom:όνομα αδείας')}}.<br />
* Επιπροσθέτως, η (L)GPL έχει πολλές εκδόσεις και παραλλαγές αυτών. Όσον αφορά το λογισμικό (L)GPL, η σύμβαση είναι:<br />
** (L)GPL - (L)GPLv2 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
** (L)GPL2 - (L)GPL2 μόνο<br />
** (L)GPL3 - (L)GPL3 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
* Εάν έπειτα από διερεύνηση του θέματος δεν μπορεί να προσδιοριστεί κάποια άδεια, το {{ic|PKGBUILD.proto}} προτείνει την χρήση του ενδεικτικού {{ic|unknown}}. Παρόλα αυτά, το upstream πρέπει να ειδοποιηθεί για τους όρους υπό τους οποίους το λογισμικό είναι ( και δεν είναι) διαθέσιμο.<br />
<br />
{{Tip|Μερικοί προγραμματιστές δεν παρέχουν ξεχωριστο αρχείο και περιγράφουν τους όρους διαμοιρασμού σε τμήμα του κοινώς χρησιμοποιούμενου αρχείου ReadMe.txt. Οι πληροφορίες αυτές μπορουν να εξαχθουν σε ξεχωριστό αρχείο κατά την διάρκεια της φάσης {{Ic|μεταγλώττισης}} με την χρήση άνάλογης εντολής με την: {{Ic|sed -n '/'''This software'''/,/''' thereof.'''/p' ReadMe.txt > LICENSE}}.}}<br />
<br />
=== groups ===<br />
Η ομάδα στη οποία ανήκει το πακέτο. Για παράδειγμα, όταν εγκαταστήσετε το πακέτο {{Pkg|kdebase}}, εγκαθίστανται όλα τα πακέτα τα οποία ανήκουν στην ομάδα {{Grp|kde}.<br />
<br />
=== depends ===<br />
Μια σειρά ονομάτων πακέτων τα ιποία πρέπει να εγκατασταθούν πριν να μπορέσει το εν λόγω λογισμικό να εκτελεστεί. Αν κάποιο λογισμικό απαιτεί την ύπαρξη μιας ελάχιστης έκδοσης κάποιας εξάρτησης, ο τελεστής {{ic|1=>=}} θα πρέπει να χρησιμοποιηθεί για να υποδείξει αυτήν την απαίτηση, π.χ. {{ic|1=depends=('foobar>=1.8.0')}}. δεν χρειάζεται να παραθέσετε τα πακέτα απο τα οποία εξαρτάται το λογισμικό σας εάν άλλα πακέτα από τα οποία εξαρτάται το λογισμικό σας έχουν ήδη ορίσει τα πακέτα αυτά ως εξαρτήσεις τους. Επί παραδείγματι, το πακέτο {{pkg|gtk2}} εξαρτάται από το πακέτο {{pkg|glib2}} και το πακέτο {{pkg|glibc}}. Όμως, το πακέτο {{pkg|glibc}} δεν χρειάζεται να παρατεθεί ως εξάρτηση για το πακέτο {{pkg|gtk2}} διότι είναι μια εκ των εξαρτήσεων του πακέτου {{pkg|glib2}}.<br />
<br />
===makedepends===<br />
Μια σειρά ονομάτων πακέτων τα οποία πρέπει να εγκατασταθούν για να είναι δυνατή η μεταγλώττιση του λογισμικού αλλά δεν είναι απαραίτητα για την χρήση του μετά την εγκατάσταση. Μπορείτε να ορίσετε την ελάχιστη έκδοση εξάρτησης των πακέτων με τον ίδιο τρόπο που περιγράφηκε στην παράγραφο {{ic|depends}}.<br />
<br />
{{Warning|Η ομάδα πακέτων {{Grp|base-devel}} θεωρείται εγκατεστημένη κατά την μεταγλώττιση με το makepkg . Τα μέλη της ομάδας πακέτων "base-devel" '''δεν θα πρέπει''' να συμπεριλαμβάνονται στο πεδίο {{ic|makedepends}}}}<br />
<br />
=== checkdepends ===<br />
Μια σειρά πακέτων από τα οποία εξαρτάται το εν λόγω πακέτο ώστε να εκτελέσει την σειρά δοκιμών του τα οποία όμως δεν χρειάζονται κατά την κανονική εκτέλεση. Τα πακέτα που παραθέτονται σε αυτή την λίστα ακολουθούν το ίδιο πρότυπο με το πεδίο depends. Αυτές οι εξαρτήσεις λαμβάνονται υπόψη μόνο όταν η συνάρτηση [[Creating Packages#The check() function|check()]] είναι παρούσα και πρόκειται να εκτελεστεί από το makepkg.<br />
<br />
=== optdepends ===<br />
Μια σειρά ονομάτων πακέτων τα οποία δεν χρειάζονται για την λειτουργικότητα του λογισμικού αλλά παρέχουν επιπρόσθετα χαρακτηριστικά. Μια σύντομη περιγραφή του τι παρέχει το κάθε πακέτο πρέπει επίσης να σημειωθεί. Ένα πεδίο {{ic|optdepends}} μπορεί να έχει την εξής μορφή:<br />
optdepends=('cups: printing support'<br />
'sane: scanners support'<br />
'libgphoto2: digital cameras support'<br />
'alsa-lib: sound support'<br />
'giflib: GIF images support'<br />
'libjpeg: JPEG images support'<br />
'libpng: PNG images support')<br />
<br />
=== provides ===<br />
Μια σειρά ονομάτων πακέτων (ή ενα εικονικό πακέτο όπως το {{Ic|cron}} η το {{Ic|sh}}) των οποίων τα χαρακτηριστικά παρέχει το τρέχον πακέτο. Πακέτα τα οποία παρέχουν τα ίδια πράγματα μπορούν να εγκατασταθούν ταυτόχρονα εκτός εάν συγκρούονται μεταξύ τους (δείτε παρακάτω). Εάν χρησιμοποιήσετε την μεταβλητή αυτή, θα πρέπει να προσθέσετε την έκδοση ({{ic|pkgver}} και ίσως την {{ic|pkgrel}}) την οποία θα παράσχει αυτό το πακέτο εαν οι εξαρτήσεις επηρρεαζονται από αυτό. Για παράδειγμα, Αν παρέχετε μια προσαρμοσμένη έκδοση του πακέτου ''qt'' με όνομα ''qt-foobar'' έκδοση 3.3.8 η οποία παρέχει το πακέτο ''qt'' τότε το πεδίο {{ic|provides}} θα πρέπει να είναι κάπως έτσι {{ic|1=provides=('qt=3.3.8')}}. Εαν χρησιμοποιούσαμε το {{ic|1=provides=('qt')}} θα αποτύγχαναν να ικανοποιηθούν εκείνες οι εξαρτήσεις οι οποίες απαιτούν μια συγκεκριμένη έκδοση του ''qt''. Μην προσθέσετε το πεδίο {{ic|pkgname}} στο πεδίο provides , διότι γίνεται αυτόματα.<br />
<br />
=== conflicts ===<br />
Μία σειρά ονομάτων πακέτων τα οποία μπορεί να δημιουργήσουν προβλήματα με το τρέχον πακέτο εάν εγκατασταθεί. Το Πακέτο με αυτό το όνομα και όλα τα πακέτα που {{Ic|παρέχει}} όπως εκονικά πακέτα με αυτό το όνομα, θα αφαιρεθούν. Μπορείτε να ορίσετε τις ιδιότητες έκδοσης των συγκρουόμενων πακέτων όπως και στο πεδίο {{ic|depends}}.<br />
<br />
=== replaces ===<br />
Μια σειρά παρωχημένων ονομάτων πακέτων τα οποία αντικαθίστανται από το τρέχον πακέτο, π.χ. {{ic|1=replaces=('ethereal')}} αντικαθίσταται με το πακέτο {{pkg|wireshark}}. μετά τον συγχρονισμό η εντολή {{ic|pacman -Sy}}, θα αντικαταστήσει άμεσα ένα εγκατεστημένο πακέτο μόλις εντοπίσει κάποιο άλλο πακέτο με την κατάλληλη ετικέτα {{ic|replaces}} στα αποθετήρια. Αν παρέχετε μια εναλλακτική έκδοση για ένα ήδη υπάρχον ένα άλλο πακέτο, Χρησιμοποιείστε την μεταβλητή {{ic|conflicts}} η οποία λαμβάνεται υπόψη μόνο κατά την εγκατάσταση του συγκρουόμενου πακέτου.<br />
<br />
=== backup ===<br />
Μια σειρά αρχείων τα οποία περιέχουν τροποποιήσεις των χρηστών του συστήματος και θα πρέπει να διατηρηθούν κατά την αναβάθμιση η την απομάκρυνση ενός πακέτου, αποσκοπεί κυρίως σε αρχεία ρυθμίσεων στον κατάλογο {{ic|/etc}}.<br />
<br />
Κατά την αναβάθμιση, η νέα έκδοση μπορεί να αποθηκευτεί ως {{ic|file.pacnew}} ώστε να αποφευχθεί η αντικατάσταση ενός αρχείου που υπάρχει ήδη και έχει τροποποιηθεί απο τον χρήστη. Ομοίως, όταν το πακέτο απομακρύνεται, το τροποποιημένο από το χρήστη αρχείο θα διατηρηθεί ως {{ic|file.pacsave}} εκτός και αν το πακέτο απομακρύνθηκε με την εντολή {{ic|pacman -Rn}}. <br />
<br />
Οι διαδρομές των αρχείων σε αυτό το πεδίο θα πρέπει να είναι σχετικές διαδρομές (π.χ. {{ic|etc/pacman.conf}}) και όχι απόλυτες (π.χ. {{ic|/etc/pacman.conf}}). Δείτε επίσης [[Pacnew and Pacsave Files]].<br />
<br />
=== options ===<br />
Αυτό το πεδίο σας επιτρέπει να παρακάμψετε ένα μέρος της προκαθορισμένης συμπεριφοράς του makepkg, ορισμένη στο αρχείο /etc/makepkg.conf. Για να ορίσετε μια επιλογή, προσθέστε το όνομα της επιλογής στο πεδίο. Για να αντιστρέψετε την προκαθορισμένη επιλογή , εισάγετε ένα ! στην αρχή της επιλογής. Οι ακόλουθες επιλογές μπορούν να προστεθούν στο πεδίο:<br />
<br />
* '''''strip''''' - Αφαιρεί σύμβολα από εκτελέσιμα αρχεία και βιβλιοθήκες. Αν χρησιμοποιείτε συχνά έναν εντοπιστή σφαλμάτων σε προγράμματα η βιβλιοθήκες, ίσως είναι σκόπιμο να απενεργοποιήσετε την επιλογή αυτή.<br />
* '''''docs''''' - Αποθηκεύει καταλόγους {{ic|/doc}}.<br />
* '''''libtool''''' - Διατηρεί τα αρχεία ''libtool'' ({{ic|.la}}) στα πακέτα.<br />
* '''''emptydirs''''' - Διατηρεί τους κενούς καταλόγους στα πακέτα.<br />
* '''''zipman''''' - Συμπιέζει τις σελίδες ''man'' και ''info'' με την εφαρμογή ''gzip''.<br />
* '''''ccache''''' - Επιτρέπει την χρήση {{ic|ccache}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!ccache}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|ccache}} ενεργή.<br />
* '''''distcc''''' - Επιτρέπει την χρήση {{ic|distcc}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!distcc}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|distcc}} ενεργή.<br />
* '''''buildflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|buildflags}} (CFLAGS, CXXFLAGS, LDFLAGS) κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!buildflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|buildflags}}.<br />
* '''''makeflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|makeflags}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!makeflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|makeflags}}.<br />
<br />
=== install ===<br />
Το όνομα της δέσμης εντολών {{ic|.install}} η οποία θα συμπεριληφθεί στο πακέτο. Το pacman έχει την δυνατότητα να αποθηκεύει και να εκτελεί μια δέσμη εντολών ανά πακέτο κατά την εγκατάσταση, την απομάκρυνση η την αναβάθμιση ενός πακέτου. Η δέσμη εντολών περιέχει τις ακόλουθες συναρτήσεις οι οποίες εκτελούνται σε διάφορες χρονικές στιγμές:<br />
<br />
* '''''pre_install''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν εξαχθούν τα αρχεία. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''post_install''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την εξαγωγή των αρχείων. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''pre_upgrade''''' - Η δέσμη εντολών εκτελείται πρίν εξαχθούν τα αρχεία. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''post_upgrade''''' - Η δέσμη εντολών εκτελείται μετά την εξαγωγή των αρχείων. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''pre_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν απομακρυνθούν τα αρχεία. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
* '''''post_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την απομάκρυνση των αρχείων. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
<br />
Κάθε συνάρτηση εκτελείται υπό αλλάγή ριζικού καταλόγου (chroot) μέσα στον κατάλογο εγκατάστασης του pacman. Δείτε [https://bbs.archlinux.org/viewtopic.php?pid=913891 το νήμα].<br />
<br />
{{Tip|Ένα πρότυπο αρχείο {{ic|.install}} παρέχεται στην διαδρομή {{ic|/usr/share/pacman/proto.install}}.}}<br />
<br />
=== changelog ===<br />
Το όνομα του αρχείου καταγραφής αλλάγών του πακέτου. Για να δείτε το αρχείο καταγραφής εγκατεστημένων πακέτων (δεδομένου οτι παρέχουν τέτοιο αρχείο):<br />
pacman -Qc ''pkgname''<br />
<br />
{{Tip|Ένα πρότυπο αρχείου κατάγραφής αλλαγών παρέχεται στην διαδρομή {{ic|/usr/share/pacman/ChangeLog.proto}}}}.<br />
<br />
=== source ===<br />
Μια σειρά αρχείων τα οποία χρειάζονται για την δημιουργία του πακέτου. Πρέπει να περιέχει την τοποθεσία των πηγαίων αρχείων του λογισμικού, τα οποία συνήθως βρίσκονται σε μια πλήρη διεύθυνση HTTP ή FTP. Οι μεταβλητές που ορίστηκαν προηγουμένως {{ic|pkgname}} και {{ic|pkgver}} μπορούν να χρησιμοποιηθούν εδώ (π.χ. {{ic|<nowiki>source=(http://example.com/$pkgname-$pkgver.tar.gz)</nowiki>}})<br />
<br />
{{Note|Αν πρέπει να παράσχετε αρχεία τα οποία δεν είναι άμεσα διαθέσιμα προς μεταφόρτωση, π.χ. ιδιόχειρες διορθώσεις, απλά τοποθετήστε τα στον ίδιο κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}} και προσθέστε το όνομα αρχείου στο πεδίο αυτό. Οποιεσδήποτε διαδρομές προστεθούν εδώ επιλύονται σε σχέση με τον κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}}. Πριν ξεκινήσει η πραγματική διαδικασία δημιουργίας του πακέτου, όλα τα αρχεία που αναφέρονται στο πεδίο αυτό θα μεταφορτωθούν ή θα ελεγχθεί η ύπαρξη τους, και το {{ic|makepkg}} δεν θα συνεχίσει εάν λείπουν.}}<br />
<br />
{{Tip|Μπορείτε να ορίσετε κάποιο διαφορετικό όνομα για το αρχείο που μεταφορτώθηκε - Αν το αρχείο που μεταφορτώθηκε για κάποιο λόγο έχει διαφορετικό όνομα όπως, το URL να έχει μια GET παράμετρο - ακολουθώντας την παρακάτω σύνταξη: {{Ic|''filename''::''fileuri''}}, για παράδειγμα {{Ic|$pkgname-$pkgver.zip::<nowiki>http://199.91.152.193/7pd0l2tpkidg/jg2e1cynwii/Warez_collection_16.4.exe</nowiki>}}}}<br />
<br />
=== noextract ===<br />
Μια σειρά αρχείων τα οποία παραθέτονται στο πεδίο {{ic|source}}, δεν πρέπει να εξαχθούν από την συμπιεσμένη τους μορφή με το {{ic|makepkg}}. Εφαρμόζεται κυρίως σε συγκεκριμένα αρχεία zip τα οποία δεν μπορεί να χειριστεί το {{ic|/usr/bin/bsdtar}} διότι το {{Pkg|libarchive}} αντιμετωπίζει όλα τα αρχεία ως ροές σε αντίθεση με το {{Pkg|unzip}} που ακολουθεί την λογική της τυχαίας προσπέλασης. Σε αυτές τις περιπτώσεις το {{ic|unzip}} πρέπει να παρατίθεται στο πεδίο {{ic|makedepends}} και η πρώτη γραμμή της συνάρτησης [[Creating Packages#The build() function|build()]] πρέπει να περιέχει:<br />
<br />
cd "$srcdir/$pkgname-$pkgver"<br />
unzip [source].zip<br />
<br />
Ας σημειωθεί ότι ενώ το πεδίο {{ic|source}} δέχεται URLs, το {{ic|noextract}} αντιπροσωπεύει '''απλά''' το κομμάτι του ονόματος αρχείου . Επί παραδείγματι, θα κάνατε κάτι σαν αυτό (απλοποιημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/grub2&id=f054e33a0b5cbdfe7d81e91a8c4c807a9bfaa124 PKGBUILD] του grub2 ):<br />
<br />
source=(<nowiki>"http://ftp.archlinux.org/other/grub2/grub2_extras_lua_r20.tar.xz"</nowiki>)<br />
noextract=("grub2_extras_lua_r20.tar.xz")<br />
<br />
Για να μην εξάγετε ''τίποτα'', μπορείτε να κάνετε κάτι έξυπνο όπως (υιοθετημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox-i18n&id=cb10a40aeda9b444285d1ae6959c344110b4c936 firefox-i18n]):<br />
<br />
noextract=(${source[@]##*/})<br />
<br />
{{Note|Μια πιο συντηρητική υποκατάσταση Bash θα περιελάμβανε εισαγωγικά, η πιθανώς ένα βρόγχο ο οποίος καλεί την {{ic|basename}}. Εάν έχετε διαβάσει ως εδώ θα πρέπει να αντιλαμβάνεστε το νόημα.}}<br />
<br />
=== md5sums ===<br />
Μια σειρά από MD5 checksums των αρχείων που παραθέτονται στο πεδίο {{ic|source}}. Μόλις όλα τα αρχεία του πεδίου {{ic|source}} είναι διαθέσιμα, Ενα MD5 hash για κάθε αρχείο θα παραχθεί αυτόματα και θα συγκριθεί με τις τιμές αυτού του πεδίου μετην ίδια σειρά που εμφανίζονται στο πεδίο {{ic|source}}. Ενώ η σειρά των πηγαίων αρχείων δεν έχει σημασία, είναι σημαντικό να ακoλουθεί την σειρά αυτού του πεδίου μιας και το {{ic|makepkg}} δεν μπορεί να μαντέψει ποιό checksum ανήκει σε ποιό πηγαίο αρχείο. Μπορείτε γρήγορα και εύκολα να παράγετε τις τιμές του πεδίου αυτού εκτελώντας την εντολή {{ic|makepkg -g}} στον κατάλογο τον οποίο βρίσκεται το αρχείο {{ic|PKGBUILD}}. Ας σημειωθεί ότι ο αλγόριθμος MD5 έχει γνωστές αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού.<br />
<br />
=== sha1sums ===<br />
Μια σειρά από SHA-1 160-bit checksums. Αποτελεί εναλλακτικό των {{ic|md5sums}} που περιγράφονται παραπάνω, όμως είναι επίσης γνωστό ότι έχει αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες {{ic|man makepkg.conf}}.<br />
<br />
=== sha256sums, sha384sums, sha512sums ===<br />
Μια σειρά από SHA-2 checksums με ακολουθίες των 256, 384 και 512 bits αντίστοιχα. Αποτελούν εναλλακτικές των {{ic|md5sums}} που περιγράφηκαν παραπάνω και γενικά πιστεύεται ότι είναι ισχυρότερες. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες man {{ic|man makepkg.conf}}.<br />
<br />
== Δείτε επίσης ==<br />
*[http://pastebin.com/MeXiLDV9 Υπόδειγμα αρχείου PKGBUILD]<br />
*[http://seberm.pastebin.com/gP0tBqvs Υπόδειγμα αρχείου .install]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=210947PKGBUILD (Ελληνικά)2012-06-22T19:31:07Z<p>Foucault: /* changelog */</p>
<hr />
<div>[[Category:About Arch (Ελληνικά)]]<br />
[[Category:Package development (Ελληνικά)]]<br />
[[cs:PKGBUILD]]<br />
[[en:PKGBUILD]]<br />
[[es:PKGBUILD]]<br />
[[fa:PKGBUILD]]<br />
[[fr:PKGBUILD]]<br />
[[pl:PKGBUILD]]<br />
[[pt:PKGBUILD]]<br />
[[sr:PKGBUILD]]<br />
[[zh-CN:PKGBUILD]]<br />
[[zh-TW:PKGBUILD]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Το παρόν άρθρο παρέχει μια επεξήγηση των μεταβλητών του PKGBUILD οί οποίες χρησιμοποιούνται κατά την [[Creating Packages|δημιουργία πακέτων]]. Ενα αρχείο PKGBUILD είναι μια δέσμη εντολών η οποία περιγράφει τον τρόπο με τον οποίο το λογισμικό μεταγλωττίζεται και "συσκευάζεται" σε πακέτο. Η συγγραφή συναρτήσεων εγκατάστασης και οι γενικές πληροφορίες σημιουργίας πακέτων καλύπτονται στο [[Creating Packages]] και σε άλλα [[:Category:Package development|package development]] άρθρα}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Package management overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Arch Packaging Standards}}<br />
{{Article summary wiki|Creating Packages}}<br />
{{Article summary wiki|Custom local repository}}<br />
{{Article summary wiki|pacman Tips}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|PKGBUILD(5) Manual Page|https://www.archlinux.org/pacman/PKGBUILD.5.html}}<br />
{{Article summary end}}<br />
<br />
Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.<br />
<br />
=== epoch ===<br />
Μια ακέραια τιμή, ειδική για το Arch Linux, η οποία υπαγορεύει ως προς ποιό 'χρονικό' πρέπει να συγκριθούν οι αριθμοί έκδοσης. Η τιμή αυτή επιτρέπει την παράκαμψη των συνήθων κανόνων σύγκρισης έκδοσης για πακέτα τα οποία έχουν ασυνεπή αρίθμηση έκδοσης, απαιτούν υποβάθμιση, αλλαγή πλαισίου αρίθμησης, κτλ. Εξ'ορισμού, τα πακέτα θεωρείται πως έχουν τιμή epoch ''0''.Μην χρησιμοποιείτε το πεδίο αυτό εκτός και αν γνωρίζετε τι κάνετε.<br />
<br />
=== pkgdesc ===<br />
Περιγραφή του πακέτου. Η έκταση της περιγραφής πρέπει να είναι το πολύ 80 χαρακτήρες και δεν πρέπει να περιλαμβάνει το όνομα του πακέτου με αυτοαναφορικό τρόπο. Για παράδειγμα, "Το Nedit είναι ένας επεξεργαστής κειμένου για το X11" θα έπρεπε να γραφεί ως "ένας επεξεργαστής κειμένου για το X11."<br />
<br />
{{Note|Μην ακολουθείτε αυτόν τον κανόνα αβίαστα όταν υποβάλετε πακέτα στο [[AUR]]. Εάν το όνομα του πακέτου διαφέρει για κάποιο λόγο, απο το όνομα της εφαρμογής, Η ενσωμάτωση του πλήρους ονόματος στην περιγραφή μπορεί να είναι ο μόνος τρόπος να διασφαλιστεί η εύρεση του πακέτου κατά την αναζήτηση.}}<br />
<br />
=== arch ===<br />
Μια σειρά αρχιτεκτονικών στις οποίες είναι γνωστό ότι το αρχείο {{ic|PKGBUILD}} μπορεί να λειτουργήσει. Προς το παρόν, πρέπει να περιέχει {{ic|i686}} ή/και {{ic|x86_64}}, {{ic|1=arch=('i686' 'x86_64')}}. Η τιμή {{ic|any}} μπορεί να χρησιμοποιηθεί για πακέτα ανεξαρτήτου αρχιτεκτονικής.<br />
<br />
Μπορείτε να προσπελάστε την αρχιτεκτονική του συστήματος που απευθύνεστε με την μεταβλητή {{ic|$CARCH}} κατά την διάρκεια της μεταγλώττισης, ακόμα και κατά τον ορισμό μεταβλητών. Δείτε επίσης {{bug|16352}}. Παράδειγμα:<br />
<br />
depends=(foobar)<br />
if test "$CARCH" == x86_64; then<br />
depends+=(lib32-glibc)<br />
fi<br />
<br />
=== url ===<br />
Η διεύθυνση URL της επίσημης ιστοσελίδας του λογισμικού του οποίου το πακέτο δημιουργείται.<br />
<br />
=== license ===<br />
Η άδεια υπό την οποία διανέμεται το λογισμικό. Το πακέτο {{pkg|licenses}} έχει δημιουργηθεί στην ομάδα πακέτων {{ic|[core]}} το οποίο συγκεντρώνει τις κοινά χρησιμοποιούμενες άδειες στον κατάλογο {{ic|/usr/share/licenses/common}}, π.χ. {{ic|/usr/share/licenses/common/GPL}}. Εάν ενα πακέτο έχει διανεμηθεί υπό μιας εκ των προαναφερθέντων αδειών, η τιμή πρέπει να είναι ίση με το όνομα του καταλόγου, π.χ. {{ic|1=license=('GPL')}}. Εαν η ανάλογη άδεια εμπεριέχεται στο επίσημο πακέτο {{Pkg|licenses}}, πρέπει να ακολουθεί η παρακάτω διαδικασία:<br />
<br />
# Το αρχείο(α) άδειας πρέπει να συμπεριληφθεί στο κατάλογο: {{ic|/usr/share/licenses/''pkgname''/}}, π.χ. {{ic|/usr/share/licenses/foobar/LICENSE}}.<br />
# Αν το πηγαίο αρχείο tarball ΔΕΝ περιέχει τις λεπτομέριες αδείας και η άδεια εμφανίζεται μόνο σε κάποια άλλη τοποθεσία, π.χ. μια ιστοσελίδα, τότε θα πρέπει να αντιγράψετε την άδεια σε ένα αρχείο και να το συμπεριλάβετε.<br />
# Προσθέστε το ενδεικτικό {{ic|custom}} στο πεδίο {{ic|license}}. Προαιρετικά, μπορείτε να αντικαταστήσετε το ενδεικτικό {{ic|custom}} με το {{ic|custom:όνομα αδείας}}. Όταν μια άδεια χρησιμοποιηθεί σε δύο ή περισσότερα πακέτα σε επίσημο repository (συμπεριλαμβανομένου του {{ic|[community]}}), προστίθεται στο πακέτο {{Pkg|licenses}}.<br />
* Οι άδειες [[Wikipedia:BSD License|BSD]], [[Wikipedia:MIT License|MIT]], [[Wikipedia:ZLIB license|zlib/png]] και [[Wikipedia:Python License|Python]] είναι ειδικές περιπτώσεις και δεν ήταν δυνατό να συμπεριληφθούν στο πακέτο {{pkg|licenses}}. για την διατήρηση της απλότητας του πεδίου {{ic|license}}, αντιμετωπίζονται σαν κοινή άδεια ({{ic|1=license=('BSD')}}, {{ic|1=license=('MIT')}}, {{ic|1=license=('ZLIB')}} και {{ic|1=license=('Python')}}) αλλά τεχνικά μιλώντας, κάθε μια είναι μια κοινή άδεια διότι κάθε μια ακολουθεί την δική της γραμμή πνευματικών δικαιωμάτων. Οποιαδήποτε πακέτα έχουν αδειοδοτηθεί υπό μια εκ των τεσσάρων αδειών θα πρέπει να έχουν την δική τους μοναδική άδεια αποθηκευμένη στον κατάλογο {{ic|/usr/share/licenses/''pkgname''}}. Κάποια πακέτα μπορεί να μην καλύπτονται απο μια και μόνο άδεια. Σε αυτές τις περιπτώσεις, μπορούν να γίνουν πολλαπλές καταχωρήσεις στο πεδίο license, π.χ. {{ic|1=license=('GPL' 'custom:όνομα αδείας')}}.<br />
* Επιπροσθέτως, η (L)GPL έχει πολλές εκδόσεις και παραλλαγές αυτών. Όσον αφορά το λογισμικό (L)GPL, η σύμβαση είναι:<br />
** (L)GPL - (L)GPLv2 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
** (L)GPL2 - (L)GPL2 μόνο<br />
** (L)GPL3 - (L)GPL3 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
* Εάν έπειτα από διερεύνηση του θέματος δεν μπορεί να προσδιοριστεί κάποια άδεια, το {{ic|PKGBUILD.proto}} προτείνει την χρήση του ενδεικτικού {{ic|unknown}}. Παρόλα αυτά, το upstream πρέπει να ειδοποιηθεί για τους όρους υπό τους οποίους το λογισμικό είναι ( και δεν είναι) διαθέσιμο.<br />
<br />
{{Tip|Μερικοί προγραμματιστές δεν παρέχουν ξεχωριστο αρχείο και περιγράφουν τους όρους διαμοιρασμού σε τμήμα του κοινώς χρησιμοποιούμενου αρχείου ReadMe.txt. Οι πληροφορίες αυτές μπορουν να εξαχθουν σε ξεχωριστό αρχείο κατά την διάρκεια της φάσης {{Ic|μεταγλώττισης}} με την χρήση άνάλογης εντολής με την: {{Ic|sed -n '/'''This software'''/,/''' thereof.'''/p' ReadMe.txt > LICENSE}}.}}<br />
<br />
=== groups ===<br />
Η ομάδα στη οποία ανήκει το πακέτο. Για παράδειγμα, όταν εγκαταστήσετε το πακέτο {{Pkg|kdebase}}, εγκαθίστανται όλα τα πακέτα τα οποία ανήκουν στην ομάδα {{Grp|kde}.<br />
<br />
=== depends ===<br />
Μια σειρά ονομάτων πακέτων τα ιποία πρέπει να εγκατασταθούν πριν να μπορέσει το εν λόγω λογισμικό να εκτελεστεί. Αν κάποιο λογισμικό απαιτεί την ύπαρξη μιας ελάχιστης έκδοσης κάποιας εξάρτησης, ο τελεστής {{ic|1=>=}} θα πρέπει να χρησιμοποιηθεί για να υποδείξει αυτήν την απαίτηση, π.χ. {{ic|1=depends=('foobar>=1.8.0')}}. δεν χρειάζεται να παραθέσετε τα πακέτα απο τα οποία εξαρτάται το λογισμικό σας εάν άλλα πακέτα από τα οποία εξαρτάται το λογισμικό σας έχουν ήδη ορίσει τα πακέτα αυτά ως εξαρτήσεις τους. Επί παραδείγματι, το πακέτο {{pkg|gtk2}} εξαρτάται από το πακέτο {{pkg|glib2}} και το πακέτο {{pkg|glibc}}. Όμως, το πακέτο {{pkg|glibc}} δεν χρειάζεται να παρατεθεί ως εξάρτηση για το πακέτο {{pkg|gtk2}} διότι είναι μια εκ των εξαρτήσεων του πακέτου {{pkg|glib2}}.<br />
<br />
===makedepends===<br />
Μια σειρά ονομάτων πακέτων τα οποία πρέπει να εγκατασταθούν για να είναι δυνατή η μεταγλώττιση του λογισμικού αλλά δεν είναι απαραίτητα για την χρήση του μετά την εγκατάσταση. Μπορείτε να ορίσετε την ελάχιστη έκδοση εξάρτησης των πακέτων με τον ίδιο τρόπο που περιγράφηκε στην παράγραφο {{ic|depends}}.<br />
<br />
{{Warning|Η ομάδα πακέτων {{Grp|base-devel}} θεωρείται εγκατεστημένη κατά την μεταγλώττιση με το makepkg . Τα μέλη της ομάδας πακέτων "base-devel" '''δεν θα πρέπει''' να συμπεριλαμβάνονται στο πεδίο {{ic|makedepends}}}}<br />
<br />
=== checkdepends ===<br />
Μια σειρά πακέτων από τα οποία εξαρτάται το εν λόγω πακέτο ώστε να εκτελέσει την σειρά δοκιμών του τα οποία όμως δεν χρειάζονται κατά την κανονική εκτέλεση. Τα πακέτα που παραθέτονται σε αυτή την λίστα ακολουθούν το ίδιο πρότυπο με το πεδίο depends. Αυτές οι εξαρτήσεις λαμβάνονται υπόψη μόνο όταν η συνάρτηση [[Creating Packages#The check() function|check()]] είναι παρούσα και πρόκειται να εκτελεστεί από το makepkg.<br />
<br />
=== optdepends ===<br />
Μια σειρά ονομάτων πακέτων τα οποία δεν χρειάζονται για την λειτουργικότητα του λογισμικού αλλά παρέχουν επιπρόσθετα χαρακτηριστικά. Μια σύντομη περιγραφή του τι παρέχει το κάθε πακέτο πρέπει επίσης να σημειωθεί. Ένα πεδίο {{ic|optdepends}} μπορεί να έχει την εξής μορφή:<br />
optdepends=('cups: printing support'<br />
'sane: scanners support'<br />
'libgphoto2: digital cameras support'<br />
'alsa-lib: sound support'<br />
'giflib: GIF images support'<br />
'libjpeg: JPEG images support'<br />
'libpng: PNG images support')<br />
<br />
=== provides ===<br />
Μια σειρά ονομάτων πακέτων (ή ενα εικονικό πακέτο όπως το {{Ic|cron}} η το {{Ic|sh}}) των οποίων τα χαρακτηριστικά παρέχει το τρέχον πακέτο. Πακέτα τα οποία παρέχουν τα ίδια πράγματα μπορούν να εγκατασταθούν ταυτόχρονα εκτός εάν συγκρούονται μεταξύ τους (δείτε παρακάτω). Εάν χρησιμοποιήσετε την μεταβλητή αυτή, θα πρέπει να προσθέσετε την έκδοση ({{ic|pkgver}} και ίσως την {{ic|pkgrel}}) την οποία θα παράσχει αυτό το πακέτο εαν οι εξαρτήσεις επηρρεαζονται από αυτό. Για παράδειγμα, Αν παρέχετε μια προσαρμοσμένη έκδοση του πακέτου ''qt'' με όνομα ''qt-foobar'' έκδοση 3.3.8 η οποία παρέχει το πακέτο ''qt'' τότε το πεδίο {{ic|provides}} θα πρέπει να είναι κάπως έτσι {{ic|1=provides=('qt=3.3.8')}}. Εαν χρησιμοποιούσαμε το {{ic|1=provides=('qt')}} θα αποτύγχαναν να ικανοποιηθούν εκείνες οι εξαρτήσεις οι οποίες απαιτούν μια συγκεκριμένη έκδοση του ''qt''. Μην προσθέσετε το πεδίο {{ic|pkgname}} στο πεδίο provides , διότι γίνεται αυτόματα.<br />
<br />
=== conflicts ===<br />
Μία σειρά ονομάτων πακέτων τα οποία μπορεί να δημιουργήσουν προβλήματα με το τρέχον πακέτο εάν εγκατασταθεί. Το Πακέτο με αυτό το όνομα και όλα τα πακέτα που {{Ic|παρέχει}} όπως εκονικά πακέτα με αυτό το όνομα, θα αφαιρεθούν. Μπορείτε να ορίσετε τις ιδιότητες έκδοσης των συγκρουόμενων πακέτων όπως και στο πεδίο {{ic|depends}}.<br />
<br />
=== replaces ===<br />
Μια σειρά παρωχημένων ονομάτων πακέτων τα οποία αντικαθίστανται από το τρέχον πακέτο, π.χ. {{ic|1=replaces=('ethereal')}} αντικαθίσταται με το πακέτο {{pkg|wireshark}}. μετά τον συγχρονισμό η εντολή {{ic|pacman -Sy}}, θα αντικαταστήσει άμεσα ένα εγκατεστημένο πακέτο μόλις εντοπίσει κάποιο άλλο πακέτο με την κατάλληλη ετικέτα {{ic|replaces}} στα αποθετήρια. Αν παρέχετε μια εναλλακτική έκδοση για ένα ήδη υπάρχον ένα άλλο πακέτο, Χρησιμοποιείστε την μεταβλητή {{ic|conflicts}} η οποία λαμβάνεται υπόψη μόνο κατά την εγκατάσταση του συγκρουόμενου πακέτου.<br />
<br />
=== backup ===<br />
Μια σειρά αρχείων τα οποία περιέχουν τροποποιήσεις των χρηστών του συστήματος και θα πρέπει να διατηρηθούν κατά την αναβάθμιση η την απομάκρυνση ενός πακέτου, αποσκοπεί κυρίως σε αρχεία ρυθμίσεων στον κατάλογο {{ic|/etc}}.<br />
<br />
Κατά την αναβάθμιση, η νέα έκδοση μπορεί να αποθηκευτεί ως {{ic|file.pacnew}} ώστε να αποφευχθεί η αντικατάσταση ενός αρχείου που υπάρχει ήδη και έχει τροποποιηθεί απο τον χρήστη. Ομοίως, όταν το πακέτο απομακρύνεται, το τροποποιημένο από το χρήστη αρχείο θα διατηρηθεί ως {{ic|file.pacsave}} εκτός και αν το πακέτο απομακρύνθηκε με την εντολή {{ic|pacman -Rn}}. <br />
<br />
Οι διαδρομές των αρχείων σε αυτό το πεδίο θα πρέπει να είναι σχετικές διαδρομές (π.χ. {{ic|etc/pacman.conf}}) και όχι απόλυτες (π.χ. {{ic|/etc/pacman.conf}}). Δείτε επίσης [[Pacnew and Pacsave Files]].<br />
<br />
=== options ===<br />
Αυτό το πεδίο σας επιτρέπει να παρακάμψετε ένα μέρος της προκαθορισμένης συμπεριφοράς του makepkg, ορισμένη στο αρχείο /etc/makepkg.conf. Για να ορίσετε μια επιλογή, προσθέστε το όνομα της επιλογής στο πεδίο. Για να αντιστρέψετε την προκαθορισμένη επιλογή , εισάγετε ένα ! στην αρχή της επιλογής. Οι ακόλουθες επιλογές μπορούν να προστεθούν στο πεδίο:<br />
<br />
* '''''strip''''' - Αφαιρεί σύμβολα από εκτελέσιμα αρχεία και βιβλιοθήκες. Αν χρησιμοποιείτε συχνά έναν εντοπιστή σφαλμάτων σε προγράμματα η βιβλιοθήκες, ίσως είναι σκόπιμο να απενεργοποιήσετε την επιλογή αυτή.<br />
* '''''docs''''' - Αποθηκεύει καταλόγους {{ic|/doc}}.<br />
* '''''libtool''''' - Διατηρεί τα αρχεία ''libtool'' ({{ic|.la}}) στα πακέτα.<br />
* '''''emptydirs''''' - Διατηρεί τους κενούς καταλόγους στα πακέτα.<br />
* '''''zipman''''' - Συμπιέζει τις σελίδες ''man'' και ''info'' με την εφαρμογή ''gzip''.<br />
* '''''ccache''''' - Επιτρέπει την χρήση {{ic|ccache}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!ccache}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|ccache}} ενεργή.<br />
* '''''distcc''''' - Επιτρέπει την χρήση {{ic|distcc}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!distcc}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|distcc}} ενεργή.<br />
* '''''buildflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|buildflags}} (CFLAGS, CXXFLAGS, LDFLAGS) κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!buildflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|buildflags}}.<br />
* '''''makeflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|makeflags}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!makeflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|makeflags}}.<br />
<br />
=== install ===<br />
Το όνομα της δέσμης εντολών {{ic|.install}} η οποία θα συμπεριληφθεί στο πακέτο. Το pacman έχει την δυνατότητα να αποθηκεύει και να εκτελεί μια δέσμη εντολών ανά πακέτο κατά την εγκατάσταση, την απομάκρυνση η την αναβάθμιση ενός πακέτου. Η δέσμη εντολών περιέχει τις ακόλουθες συναρτήσεις οι οποίες εκτελούνται σε διάφορες χρονικές στιγμές:<br />
<br />
* '''''pre_install''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν εξαχθούν τα αρχεία. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''post_install''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την εξαγωγή των αρχείων. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''pre_upgrade''''' - Η δέσμη εντολών εκτελείται πρίν εξαχθούν τα αρχεία. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''post_upgrade''''' - Η δέσμη εντολών εκτελείται μετά την εξαγωγή των αρχείων. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''pre_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν απομακρυνθούν τα αρχεία. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
* '''''post_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την απομάκρυνση των αρχείων. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
<br />
Κάθε συνάρτηση εκτελείται υπό αλλάγή ριζικού καταλόγου (chroot) μέσα στον κατάλογο εγκατάστασης του pacman. Δείτε [https://bbs.archlinux.org/viewtopic.php?pid=913891 το νήμα].<br />
<br />
{{Tip|Ένα πρότυπο αρχείο {{ic|.install}} παρέχεται στην διαδρομή {{ic|/usr/share/pacman/proto.install}}.}}<br />
<br />
=== changelog ===<br />
Το όνομα του αρχείου καταγραφής αλλάγών του πακέτου. Για να δείτε το αρχείο καταγραφής εγκατεστημένων πακέτων (δεδομένου οτι παρέχουν τέτοιο αρχείο):<br />
pacman -Qc ''pkgname''<br />
<br />
{{Tip|Ένα πρότυπο αρχείου κατάγραφής αλλαγών παρέχεται στην διαδρομή {{ic|/usr/share/pacman/ChangeLog.proto}}}}<br />
<br />
=== source ===<br />
Μια σειρά αρχείων τα οποία χρειάζονται για την δημιουργία του πακέτου. Πρέπει να περιέχει την τοποθεσία των πηγαίων αρχείων του λογισμικού, τα οποία συνήθως βρίσκονται σε μια πλήρη διεύθυνση HTTP ή FTP. Οι μεταβλητές που ορίστηκαν προηγουμένως {{ic|pkgname}} και {{ic|pkgver}} μπορούν να χρησιμοποιηθούν εδώ (π.χ. {{ic|<nowiki>source=(http://example.com/$pkgname-$pkgver.tar.gz)</nowiki>}})<br />
<br />
{{Note|Αν πρέπει να παράσχετε αρχεία τα οποία δεν είναι άμεσα διαθέσιμα προς μεταφόρτωση, π.χ. ιδιόχειρες διορθώσεις, απλά τοποθετήστε τα στον ίδιο κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}} και προσθέστε το όνομα αρχείου στο πεδίο αυτό. Οποιεσδήποτε διαδρομές προστεθούν εδώ επιλύονται σε σχέση με τον κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}}. Πριν ξεκινήσει η πραγματική διαδικασία δημιουργίας του πακέτου, όλα τα αρχεία που αναφέρονται στο πεδίο αυτό θα μεταφορτωθούν ή θα ελεγχθεί η ύπαρξη τους, και το {{ic|makepkg}} δεν θα συνεχίσει εάν λείπουν.}}<br />
<br />
{{Tip|Μπορείτε να ορίσετε κάποιο διαφορετικό όνομα για το αρχείο που μεταφορτώθηκε - Αν το αρχείο που μεταφορτώθηκε για κάποιο λόγο έχει διαφορετικό όνομα όπως, το URL να έχει μια GET παράμετρο - ακολουθώντας την παρακάτω σύνταξη: {{Ic|''filename''::''fileuri''}}, για παράδειγμα {{Ic|$pkgname-$pkgver.zip::<nowiki>http://199.91.152.193/7pd0l2tpkidg/jg2e1cynwii/Warez_collection_16.4.exe</nowiki>}}}}<br />
<br />
=== noextract ===<br />
Μια σειρά αρχείων τα οποία παραθέτονται στο πεδίο {{ic|source}}, δεν πρέπει να εξαχθούν από την συμπιεσμένη τους μορφή με το {{ic|makepkg}}. Εφαρμόζεται κυρίως σε συγκεκριμένα αρχεία zip τα οποία δεν μπορεί να χειριστεί το {{ic|/usr/bin/bsdtar}} διότι το {{Pkg|libarchive}} αντιμετωπίζει όλα τα αρχεία ως ροές σε αντίθεση με το {{Pkg|unzip}} που ακολουθεί την λογική της τυχαίας προσπέλασης. Σε αυτές τις περιπτώσεις το {{ic|unzip}} πρέπει να παρατίθεται στο πεδίο {{ic|makedepends}} και η πρώτη γραμμή της συνάρτησης [[Creating Packages#The build() function|build()]] πρέπει να περιέχει:<br />
<br />
cd "$srcdir/$pkgname-$pkgver"<br />
unzip [source].zip<br />
<br />
Ας σημειωθεί ότι ενώ το πεδίο {{ic|source}} δέχεται URLs, το {{ic|noextract}} αντιπροσωπεύει '''απλά''' το κομμάτι του ονόματος αρχείου . Επί παραδείγματι, θα κάνατε κάτι σαν αυτό (απλοποιημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/grub2&id=f054e33a0b5cbdfe7d81e91a8c4c807a9bfaa124 PKGBUILD] του grub2 ):<br />
<br />
source=(<nowiki>"http://ftp.archlinux.org/other/grub2/grub2_extras_lua_r20.tar.xz"</nowiki>)<br />
noextract=("grub2_extras_lua_r20.tar.xz")<br />
<br />
Για να μην εξάγετε ''τίποτα'', μπορείτε να κάνετε κάτι έξυπνο όπως (υιοθετημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox-i18n&id=cb10a40aeda9b444285d1ae6959c344110b4c936 firefox-i18n]):<br />
<br />
noextract=(${source[@]##*/})<br />
<br />
{{Note|Μια πιο συντηρητική υποκατάσταση Bash θα περιελάμβανε εισαγωγικά, η πιθανώς ένα βρόγχο ο οποίος καλεί την {{ic|basename}}. Εάν έχετε διαβάσει ως εδώ θα πρέπει να αντιλαμβάνεστε το νόημα.}}<br />
<br />
=== md5sums ===<br />
Μια σειρά από MD5 checksums των αρχείων που παραθέτονται στο πεδίο {{ic|source}}. Μόλις όλα τα αρχεία του πεδίου {{ic|source}} είναι διαθέσιμα, Ενα MD5 hash για κάθε αρχείο θα παραχθεί αυτόματα και θα συγκριθεί με τις τιμές αυτού του πεδίου μετην ίδια σειρά που εμφανίζονται στο πεδίο {{ic|source}}. Ενώ η σειρά των πηγαίων αρχείων δεν έχει σημασία, είναι σημαντικό να ακoλουθεί την σειρά αυτού του πεδίου μιας και το {{ic|makepkg}} δεν μπορεί να μαντέψει ποιό checksum ανήκει σε ποιό πηγαίο αρχείο. Μπορείτε γρήγορα και εύκολα να παράγετε τις τιμές του πεδίου αυτού εκτελώντας την εντολή {{ic|makepkg -g}} στον κατάλογο τον οποίο βρίσκεται το αρχείο {{ic|PKGBUILD}}. Ας σημειωθεί ότι ο αλγόριθμος MD5 έχει γνωστές αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού.<br />
<br />
=== sha1sums ===<br />
Μια σειρά από SHA-1 160-bit checksums. Αποτελεί εναλλακτικό των {{ic|md5sums}} που περιγράφονται παραπάνω, όμως είναι επίσης γνωστό ότι έχει αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες {{ic|man makepkg.conf}}.<br />
<br />
=== sha256sums, sha384sums, sha512sums ===<br />
Μια σειρά από SHA-2 checksums με ακολουθίες των 256, 384 και 512 bits αντίστοιχα. Αποτελούν εναλλακτικές των {{ic|md5sums}} που περιγράφηκαν παραπάνω και γενικά πιστεύεται ότι είναι ισχυρότερες. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες man {{ic|man makepkg.conf}}.<br />
<br />
== Δείτε επίσης ==<br />
*[http://pastebin.com/MeXiLDV9 Υπόδειγμα αρχείου PKGBUILD]<br />
*[http://seberm.pastebin.com/gP0tBqvs Υπόδειγμα αρχείου .install]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=210946PKGBUILD (Ελληνικά)2012-06-22T19:30:48Z<p>Foucault: /* makedepends */</p>
<hr />
<div>[[Category:About Arch (Ελληνικά)]]<br />
[[Category:Package development (Ελληνικά)]]<br />
[[cs:PKGBUILD]]<br />
[[en:PKGBUILD]]<br />
[[es:PKGBUILD]]<br />
[[fa:PKGBUILD]]<br />
[[fr:PKGBUILD]]<br />
[[pl:PKGBUILD]]<br />
[[pt:PKGBUILD]]<br />
[[sr:PKGBUILD]]<br />
[[zh-CN:PKGBUILD]]<br />
[[zh-TW:PKGBUILD]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Το παρόν άρθρο παρέχει μια επεξήγηση των μεταβλητών του PKGBUILD οί οποίες χρησιμοποιούνται κατά την [[Creating Packages|δημιουργία πακέτων]]. Ενα αρχείο PKGBUILD είναι μια δέσμη εντολών η οποία περιγράφει τον τρόπο με τον οποίο το λογισμικό μεταγλωττίζεται και "συσκευάζεται" σε πακέτο. Η συγγραφή συναρτήσεων εγκατάστασης και οι γενικές πληροφορίες σημιουργίας πακέτων καλύπτονται στο [[Creating Packages]] και σε άλλα [[:Category:Package development|package development]] άρθρα}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Package management overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Arch Packaging Standards}}<br />
{{Article summary wiki|Creating Packages}}<br />
{{Article summary wiki|Custom local repository}}<br />
{{Article summary wiki|pacman Tips}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|PKGBUILD(5) Manual Page|https://www.archlinux.org/pacman/PKGBUILD.5.html}}<br />
{{Article summary end}}<br />
<br />
Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.<br />
<br />
=== epoch ===<br />
Μια ακέραια τιμή, ειδική για το Arch Linux, η οποία υπαγορεύει ως προς ποιό 'χρονικό' πρέπει να συγκριθούν οι αριθμοί έκδοσης. Η τιμή αυτή επιτρέπει την παράκαμψη των συνήθων κανόνων σύγκρισης έκδοσης για πακέτα τα οποία έχουν ασυνεπή αρίθμηση έκδοσης, απαιτούν υποβάθμιση, αλλαγή πλαισίου αρίθμησης, κτλ. Εξ'ορισμού, τα πακέτα θεωρείται πως έχουν τιμή epoch ''0''.Μην χρησιμοποιείτε το πεδίο αυτό εκτός και αν γνωρίζετε τι κάνετε.<br />
<br />
=== pkgdesc ===<br />
Περιγραφή του πακέτου. Η έκταση της περιγραφής πρέπει να είναι το πολύ 80 χαρακτήρες και δεν πρέπει να περιλαμβάνει το όνομα του πακέτου με αυτοαναφορικό τρόπο. Για παράδειγμα, "Το Nedit είναι ένας επεξεργαστής κειμένου για το X11" θα έπρεπε να γραφεί ως "ένας επεξεργαστής κειμένου για το X11."<br />
<br />
{{Note|Μην ακολουθείτε αυτόν τον κανόνα αβίαστα όταν υποβάλετε πακέτα στο [[AUR]]. Εάν το όνομα του πακέτου διαφέρει για κάποιο λόγο, απο το όνομα της εφαρμογής, Η ενσωμάτωση του πλήρους ονόματος στην περιγραφή μπορεί να είναι ο μόνος τρόπος να διασφαλιστεί η εύρεση του πακέτου κατά την αναζήτηση.}}<br />
<br />
=== arch ===<br />
Μια σειρά αρχιτεκτονικών στις οποίες είναι γνωστό ότι το αρχείο {{ic|PKGBUILD}} μπορεί να λειτουργήσει. Προς το παρόν, πρέπει να περιέχει {{ic|i686}} ή/και {{ic|x86_64}}, {{ic|1=arch=('i686' 'x86_64')}}. Η τιμή {{ic|any}} μπορεί να χρησιμοποιηθεί για πακέτα ανεξαρτήτου αρχιτεκτονικής.<br />
<br />
Μπορείτε να προσπελάστε την αρχιτεκτονική του συστήματος που απευθύνεστε με την μεταβλητή {{ic|$CARCH}} κατά την διάρκεια της μεταγλώττισης, ακόμα και κατά τον ορισμό μεταβλητών. Δείτε επίσης {{bug|16352}}. Παράδειγμα:<br />
<br />
depends=(foobar)<br />
if test "$CARCH" == x86_64; then<br />
depends+=(lib32-glibc)<br />
fi<br />
<br />
=== url ===<br />
Η διεύθυνση URL της επίσημης ιστοσελίδας του λογισμικού του οποίου το πακέτο δημιουργείται.<br />
<br />
=== license ===<br />
Η άδεια υπό την οποία διανέμεται το λογισμικό. Το πακέτο {{pkg|licenses}} έχει δημιουργηθεί στην ομάδα πακέτων {{ic|[core]}} το οποίο συγκεντρώνει τις κοινά χρησιμοποιούμενες άδειες στον κατάλογο {{ic|/usr/share/licenses/common}}, π.χ. {{ic|/usr/share/licenses/common/GPL}}. Εάν ενα πακέτο έχει διανεμηθεί υπό μιας εκ των προαναφερθέντων αδειών, η τιμή πρέπει να είναι ίση με το όνομα του καταλόγου, π.χ. {{ic|1=license=('GPL')}}. Εαν η ανάλογη άδεια εμπεριέχεται στο επίσημο πακέτο {{Pkg|licenses}}, πρέπει να ακολουθεί η παρακάτω διαδικασία:<br />
<br />
# Το αρχείο(α) άδειας πρέπει να συμπεριληφθεί στο κατάλογο: {{ic|/usr/share/licenses/''pkgname''/}}, π.χ. {{ic|/usr/share/licenses/foobar/LICENSE}}.<br />
# Αν το πηγαίο αρχείο tarball ΔΕΝ περιέχει τις λεπτομέριες αδείας και η άδεια εμφανίζεται μόνο σε κάποια άλλη τοποθεσία, π.χ. μια ιστοσελίδα, τότε θα πρέπει να αντιγράψετε την άδεια σε ένα αρχείο και να το συμπεριλάβετε.<br />
# Προσθέστε το ενδεικτικό {{ic|custom}} στο πεδίο {{ic|license}}. Προαιρετικά, μπορείτε να αντικαταστήσετε το ενδεικτικό {{ic|custom}} με το {{ic|custom:όνομα αδείας}}. Όταν μια άδεια χρησιμοποιηθεί σε δύο ή περισσότερα πακέτα σε επίσημο repository (συμπεριλαμβανομένου του {{ic|[community]}}), προστίθεται στο πακέτο {{Pkg|licenses}}.<br />
* Οι άδειες [[Wikipedia:BSD License|BSD]], [[Wikipedia:MIT License|MIT]], [[Wikipedia:ZLIB license|zlib/png]] και [[Wikipedia:Python License|Python]] είναι ειδικές περιπτώσεις και δεν ήταν δυνατό να συμπεριληφθούν στο πακέτο {{pkg|licenses}}. για την διατήρηση της απλότητας του πεδίου {{ic|license}}, αντιμετωπίζονται σαν κοινή άδεια ({{ic|1=license=('BSD')}}, {{ic|1=license=('MIT')}}, {{ic|1=license=('ZLIB')}} και {{ic|1=license=('Python')}}) αλλά τεχνικά μιλώντας, κάθε μια είναι μια κοινή άδεια διότι κάθε μια ακολουθεί την δική της γραμμή πνευματικών δικαιωμάτων. Οποιαδήποτε πακέτα έχουν αδειοδοτηθεί υπό μια εκ των τεσσάρων αδειών θα πρέπει να έχουν την δική τους μοναδική άδεια αποθηκευμένη στον κατάλογο {{ic|/usr/share/licenses/''pkgname''}}. Κάποια πακέτα μπορεί να μην καλύπτονται απο μια και μόνο άδεια. Σε αυτές τις περιπτώσεις, μπορούν να γίνουν πολλαπλές καταχωρήσεις στο πεδίο license, π.χ. {{ic|1=license=('GPL' 'custom:όνομα αδείας')}}.<br />
* Επιπροσθέτως, η (L)GPL έχει πολλές εκδόσεις και παραλλαγές αυτών. Όσον αφορά το λογισμικό (L)GPL, η σύμβαση είναι:<br />
** (L)GPL - (L)GPLv2 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
** (L)GPL2 - (L)GPL2 μόνο<br />
** (L)GPL3 - (L)GPL3 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
* Εάν έπειτα από διερεύνηση του θέματος δεν μπορεί να προσδιοριστεί κάποια άδεια, το {{ic|PKGBUILD.proto}} προτείνει την χρήση του ενδεικτικού {{ic|unknown}}. Παρόλα αυτά, το upstream πρέπει να ειδοποιηθεί για τους όρους υπό τους οποίους το λογισμικό είναι ( και δεν είναι) διαθέσιμο.<br />
<br />
{{Tip|Μερικοί προγραμματιστές δεν παρέχουν ξεχωριστο αρχείο και περιγράφουν τους όρους διαμοιρασμού σε τμήμα του κοινώς χρησιμοποιούμενου αρχείου ReadMe.txt. Οι πληροφορίες αυτές μπορουν να εξαχθουν σε ξεχωριστό αρχείο κατά την διάρκεια της φάσης {{Ic|μεταγλώττισης}} με την χρήση άνάλογης εντολής με την: {{Ic|sed -n '/'''This software'''/,/''' thereof.'''/p' ReadMe.txt > LICENSE}}.}}<br />
<br />
=== groups ===<br />
Η ομάδα στη οποία ανήκει το πακέτο. Για παράδειγμα, όταν εγκαταστήσετε το πακέτο {{Pkg|kdebase}}, εγκαθίστανται όλα τα πακέτα τα οποία ανήκουν στην ομάδα {{Grp|kde}.<br />
<br />
=== depends ===<br />
Μια σειρά ονομάτων πακέτων τα ιποία πρέπει να εγκατασταθούν πριν να μπορέσει το εν λόγω λογισμικό να εκτελεστεί. Αν κάποιο λογισμικό απαιτεί την ύπαρξη μιας ελάχιστης έκδοσης κάποιας εξάρτησης, ο τελεστής {{ic|1=>=}} θα πρέπει να χρησιμοποιηθεί για να υποδείξει αυτήν την απαίτηση, π.χ. {{ic|1=depends=('foobar>=1.8.0')}}. δεν χρειάζεται να παραθέσετε τα πακέτα απο τα οποία εξαρτάται το λογισμικό σας εάν άλλα πακέτα από τα οποία εξαρτάται το λογισμικό σας έχουν ήδη ορίσει τα πακέτα αυτά ως εξαρτήσεις τους. Επί παραδείγματι, το πακέτο {{pkg|gtk2}} εξαρτάται από το πακέτο {{pkg|glib2}} και το πακέτο {{pkg|glibc}}. Όμως, το πακέτο {{pkg|glibc}} δεν χρειάζεται να παρατεθεί ως εξάρτηση για το πακέτο {{pkg|gtk2}} διότι είναι μια εκ των εξαρτήσεων του πακέτου {{pkg|glib2}}.<br />
<br />
===makedepends===<br />
Μια σειρά ονομάτων πακέτων τα οποία πρέπει να εγκατασταθούν για να είναι δυνατή η μεταγλώττιση του λογισμικού αλλά δεν είναι απαραίτητα για την χρήση του μετά την εγκατάσταση. Μπορείτε να ορίσετε την ελάχιστη έκδοση εξάρτησης των πακέτων με τον ίδιο τρόπο που περιγράφηκε στην παράγραφο {{ic|depends}}.<br />
<br />
{{Warning|Η ομάδα πακέτων {{Grp|base-devel}} θεωρείται εγκατεστημένη κατά την μεταγλώττιση με το makepkg . Τα μέλη της ομάδας πακέτων "base-devel" '''δεν θα πρέπει''' να συμπεριλαμβάνονται στο πεδίο {{ic|makedepends}}}}<br />
<br />
=== checkdepends ===<br />
Μια σειρά πακέτων από τα οποία εξαρτάται το εν λόγω πακέτο ώστε να εκτελέσει την σειρά δοκιμών του τα οποία όμως δεν χρειάζονται κατά την κανονική εκτέλεση. Τα πακέτα που παραθέτονται σε αυτή την λίστα ακολουθούν το ίδιο πρότυπο με το πεδίο depends. Αυτές οι εξαρτήσεις λαμβάνονται υπόψη μόνο όταν η συνάρτηση [[Creating Packages#The check() function|check()]] είναι παρούσα και πρόκειται να εκτελεστεί από το makepkg.<br />
<br />
=== optdepends ===<br />
Μια σειρά ονομάτων πακέτων τα οποία δεν χρειάζονται για την λειτουργικότητα του λογισμικού αλλά παρέχουν επιπρόσθετα χαρακτηριστικά. Μια σύντομη περιγραφή του τι παρέχει το κάθε πακέτο πρέπει επίσης να σημειωθεί. Ένα πεδίο {{ic|optdepends}} μπορεί να έχει την εξής μορφή:<br />
optdepends=('cups: printing support'<br />
'sane: scanners support'<br />
'libgphoto2: digital cameras support'<br />
'alsa-lib: sound support'<br />
'giflib: GIF images support'<br />
'libjpeg: JPEG images support'<br />
'libpng: PNG images support')<br />
<br />
=== provides ===<br />
Μια σειρά ονομάτων πακέτων (ή ενα εικονικό πακέτο όπως το {{Ic|cron}} η το {{Ic|sh}}) των οποίων τα χαρακτηριστικά παρέχει το τρέχον πακέτο. Πακέτα τα οποία παρέχουν τα ίδια πράγματα μπορούν να εγκατασταθούν ταυτόχρονα εκτός εάν συγκρούονται μεταξύ τους (δείτε παρακάτω). Εάν χρησιμοποιήσετε την μεταβλητή αυτή, θα πρέπει να προσθέσετε την έκδοση ({{ic|pkgver}} και ίσως την {{ic|pkgrel}}) την οποία θα παράσχει αυτό το πακέτο εαν οι εξαρτήσεις επηρρεαζονται από αυτό. Για παράδειγμα, Αν παρέχετε μια προσαρμοσμένη έκδοση του πακέτου ''qt'' με όνομα ''qt-foobar'' έκδοση 3.3.8 η οποία παρέχει το πακέτο ''qt'' τότε το πεδίο {{ic|provides}} θα πρέπει να είναι κάπως έτσι {{ic|1=provides=('qt=3.3.8')}}. Εαν χρησιμοποιούσαμε το {{ic|1=provides=('qt')}} θα αποτύγχαναν να ικανοποιηθούν εκείνες οι εξαρτήσεις οι οποίες απαιτούν μια συγκεκριμένη έκδοση του ''qt''. Μην προσθέσετε το πεδίο {{ic|pkgname}} στο πεδίο provides , διότι γίνεται αυτόματα.<br />
<br />
=== conflicts ===<br />
Μία σειρά ονομάτων πακέτων τα οποία μπορεί να δημιουργήσουν προβλήματα με το τρέχον πακέτο εάν εγκατασταθεί. Το Πακέτο με αυτό το όνομα και όλα τα πακέτα που {{Ic|παρέχει}} όπως εκονικά πακέτα με αυτό το όνομα, θα αφαιρεθούν. Μπορείτε να ορίσετε τις ιδιότητες έκδοσης των συγκρουόμενων πακέτων όπως και στο πεδίο {{ic|depends}}.<br />
<br />
=== replaces ===<br />
Μια σειρά παρωχημένων ονομάτων πακέτων τα οποία αντικαθίστανται από το τρέχον πακέτο, π.χ. {{ic|1=replaces=('ethereal')}} αντικαθίσταται με το πακέτο {{pkg|wireshark}}. μετά τον συγχρονισμό η εντολή {{ic|pacman -Sy}}, θα αντικαταστήσει άμεσα ένα εγκατεστημένο πακέτο μόλις εντοπίσει κάποιο άλλο πακέτο με την κατάλληλη ετικέτα {{ic|replaces}} στα αποθετήρια. Αν παρέχετε μια εναλλακτική έκδοση για ένα ήδη υπάρχον ένα άλλο πακέτο, Χρησιμοποιείστε την μεταβλητή {{ic|conflicts}} η οποία λαμβάνεται υπόψη μόνο κατά την εγκατάσταση του συγκρουόμενου πακέτου.<br />
<br />
=== backup ===<br />
Μια σειρά αρχείων τα οποία περιέχουν τροποποιήσεις των χρηστών του συστήματος και θα πρέπει να διατηρηθούν κατά την αναβάθμιση η την απομάκρυνση ενός πακέτου, αποσκοπεί κυρίως σε αρχεία ρυθμίσεων στον κατάλογο {{ic|/etc}}.<br />
<br />
Κατά την αναβάθμιση, η νέα έκδοση μπορεί να αποθηκευτεί ως {{ic|file.pacnew}} ώστε να αποφευχθεί η αντικατάσταση ενός αρχείου που υπάρχει ήδη και έχει τροποποιηθεί απο τον χρήστη. Ομοίως, όταν το πακέτο απομακρύνεται, το τροποποιημένο από το χρήστη αρχείο θα διατηρηθεί ως {{ic|file.pacsave}} εκτός και αν το πακέτο απομακρύνθηκε με την εντολή {{ic|pacman -Rn}}. <br />
<br />
Οι διαδρομές των αρχείων σε αυτό το πεδίο θα πρέπει να είναι σχετικές διαδρομές (π.χ. {{ic|etc/pacman.conf}}) και όχι απόλυτες (π.χ. {{ic|/etc/pacman.conf}}). Δείτε επίσης [[Pacnew and Pacsave Files]].<br />
<br />
=== options ===<br />
Αυτό το πεδίο σας επιτρέπει να παρακάμψετε ένα μέρος της προκαθορισμένης συμπεριφοράς του makepkg, ορισμένη στο αρχείο /etc/makepkg.conf. Για να ορίσετε μια επιλογή, προσθέστε το όνομα της επιλογής στο πεδίο. Για να αντιστρέψετε την προκαθορισμένη επιλογή , εισάγετε ένα ! στην αρχή της επιλογής. Οι ακόλουθες επιλογές μπορούν να προστεθούν στο πεδίο:<br />
<br />
* '''''strip''''' - Αφαιρεί σύμβολα από εκτελέσιμα αρχεία και βιβλιοθήκες. Αν χρησιμοποιείτε συχνά έναν εντοπιστή σφαλμάτων σε προγράμματα η βιβλιοθήκες, ίσως είναι σκόπιμο να απενεργοποιήσετε την επιλογή αυτή.<br />
* '''''docs''''' - Αποθηκεύει καταλόγους {{ic|/doc}}.<br />
* '''''libtool''''' - Διατηρεί τα αρχεία ''libtool'' ({{ic|.la}}) στα πακέτα.<br />
* '''''emptydirs''''' - Διατηρεί τους κενούς καταλόγους στα πακέτα.<br />
* '''''zipman''''' - Συμπιέζει τις σελίδες ''man'' και ''info'' με την εφαρμογή ''gzip''.<br />
* '''''ccache''''' - Επιτρέπει την χρήση {{ic|ccache}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!ccache}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|ccache}} ενεργή.<br />
* '''''distcc''''' - Επιτρέπει την χρήση {{ic|distcc}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!distcc}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|distcc}} ενεργή.<br />
* '''''buildflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|buildflags}} (CFLAGS, CXXFLAGS, LDFLAGS) κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!buildflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|buildflags}}.<br />
* '''''makeflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|makeflags}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!makeflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|makeflags}}.<br />
<br />
=== install ===<br />
Το όνομα της δέσμης εντολών {{ic|.install}} η οποία θα συμπεριληφθεί στο πακέτο. Το pacman έχει την δυνατότητα να αποθηκεύει και να εκτελεί μια δέσμη εντολών ανά πακέτο κατά την εγκατάσταση, την απομάκρυνση η την αναβάθμιση ενός πακέτου. Η δέσμη εντολών περιέχει τις ακόλουθες συναρτήσεις οι οποίες εκτελούνται σε διάφορες χρονικές στιγμές:<br />
<br />
* '''''pre_install''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν εξαχθούν τα αρχεία. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''post_install''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την εξαγωγή των αρχείων. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''pre_upgrade''''' - Η δέσμη εντολών εκτελείται πρίν εξαχθούν τα αρχεία. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''post_upgrade''''' - Η δέσμη εντολών εκτελείται μετά την εξαγωγή των αρχείων. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''pre_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν απομακρυνθούν τα αρχεία. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
* '''''post_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την απομάκρυνση των αρχείων. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
<br />
Κάθε συνάρτηση εκτελείται υπό αλλάγή ριζικού καταλόγου (chroot) μέσα στον κατάλογο εγκατάστασης του pacman. Δείτε [https://bbs.archlinux.org/viewtopic.php?pid=913891 το νήμα].<br />
<br />
{{Tip|Ένα πρότυπο αρχείο {{ic|.install}} παρέχεται στην διαδρομή {{ic|/usr/share/pacman/proto.install}}.}}<br />
<br />
=== changelog ===<br />
Το όνομα του αρχείου καταγραφής αλλάγών του πακέτου. Για να δείτε το αρχείο καταγραφής εγκατεστημένων πακέτων (δεδομένου οτι παρέχουν τέτοιο αρχείο):<br />
pacman -Qc ''pkgname''<br />
<br />
{{Tip|Ένα πρότυπο αρχείου κατάγραφής αλλαγών παρέχεται στην διαδρομή {{ic|/usr/share/pacman/ChangeLog.proto}}.}}<br />
<br />
=== source ===<br />
Μια σειρά αρχείων τα οποία χρειάζονται για την δημιουργία του πακέτου. Πρέπει να περιέχει την τοποθεσία των πηγαίων αρχείων του λογισμικού, τα οποία συνήθως βρίσκονται σε μια πλήρη διεύθυνση HTTP ή FTP. Οι μεταβλητές που ορίστηκαν προηγουμένως {{ic|pkgname}} και {{ic|pkgver}} μπορούν να χρησιμοποιηθούν εδώ (π.χ. {{ic|<nowiki>source=(http://example.com/$pkgname-$pkgver.tar.gz)</nowiki>}})<br />
<br />
{{Note|Αν πρέπει να παράσχετε αρχεία τα οποία δεν είναι άμεσα διαθέσιμα προς μεταφόρτωση, π.χ. ιδιόχειρες διορθώσεις, απλά τοποθετήστε τα στον ίδιο κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}} και προσθέστε το όνομα αρχείου στο πεδίο αυτό. Οποιεσδήποτε διαδρομές προστεθούν εδώ επιλύονται σε σχέση με τον κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}}. Πριν ξεκινήσει η πραγματική διαδικασία δημιουργίας του πακέτου, όλα τα αρχεία που αναφέρονται στο πεδίο αυτό θα μεταφορτωθούν ή θα ελεγχθεί η ύπαρξη τους, και το {{ic|makepkg}} δεν θα συνεχίσει εάν λείπουν.}}<br />
<br />
{{Tip|Μπορείτε να ορίσετε κάποιο διαφορετικό όνομα για το αρχείο που μεταφορτώθηκε - Αν το αρχείο που μεταφορτώθηκε για κάποιο λόγο έχει διαφορετικό όνομα όπως, το URL να έχει μια GET παράμετρο - ακολουθώντας την παρακάτω σύνταξη: {{Ic|''filename''::''fileuri''}}, για παράδειγμα {{Ic|$pkgname-$pkgver.zip::<nowiki>http://199.91.152.193/7pd0l2tpkidg/jg2e1cynwii/Warez_collection_16.4.exe</nowiki>}}}}<br />
<br />
=== noextract ===<br />
Μια σειρά αρχείων τα οποία παραθέτονται στο πεδίο {{ic|source}}, δεν πρέπει να εξαχθούν από την συμπιεσμένη τους μορφή με το {{ic|makepkg}}. Εφαρμόζεται κυρίως σε συγκεκριμένα αρχεία zip τα οποία δεν μπορεί να χειριστεί το {{ic|/usr/bin/bsdtar}} διότι το {{Pkg|libarchive}} αντιμετωπίζει όλα τα αρχεία ως ροές σε αντίθεση με το {{Pkg|unzip}} που ακολουθεί την λογική της τυχαίας προσπέλασης. Σε αυτές τις περιπτώσεις το {{ic|unzip}} πρέπει να παρατίθεται στο πεδίο {{ic|makedepends}} και η πρώτη γραμμή της συνάρτησης [[Creating Packages#The build() function|build()]] πρέπει να περιέχει:<br />
<br />
cd "$srcdir/$pkgname-$pkgver"<br />
unzip [source].zip<br />
<br />
Ας σημειωθεί ότι ενώ το πεδίο {{ic|source}} δέχεται URLs, το {{ic|noextract}} αντιπροσωπεύει '''απλά''' το κομμάτι του ονόματος αρχείου . Επί παραδείγματι, θα κάνατε κάτι σαν αυτό (απλοποιημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/grub2&id=f054e33a0b5cbdfe7d81e91a8c4c807a9bfaa124 PKGBUILD] του grub2 ):<br />
<br />
source=(<nowiki>"http://ftp.archlinux.org/other/grub2/grub2_extras_lua_r20.tar.xz"</nowiki>)<br />
noextract=("grub2_extras_lua_r20.tar.xz")<br />
<br />
Για να μην εξάγετε ''τίποτα'', μπορείτε να κάνετε κάτι έξυπνο όπως (υιοθετημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox-i18n&id=cb10a40aeda9b444285d1ae6959c344110b4c936 firefox-i18n]):<br />
<br />
noextract=(${source[@]##*/})<br />
<br />
{{Note|Μια πιο συντηρητική υποκατάσταση Bash θα περιελάμβανε εισαγωγικά, η πιθανώς ένα βρόγχο ο οποίος καλεί την {{ic|basename}}. Εάν έχετε διαβάσει ως εδώ θα πρέπει να αντιλαμβάνεστε το νόημα.}}<br />
<br />
=== md5sums ===<br />
Μια σειρά από MD5 checksums των αρχείων που παραθέτονται στο πεδίο {{ic|source}}. Μόλις όλα τα αρχεία του πεδίου {{ic|source}} είναι διαθέσιμα, Ενα MD5 hash για κάθε αρχείο θα παραχθεί αυτόματα και θα συγκριθεί με τις τιμές αυτού του πεδίου μετην ίδια σειρά που εμφανίζονται στο πεδίο {{ic|source}}. Ενώ η σειρά των πηγαίων αρχείων δεν έχει σημασία, είναι σημαντικό να ακoλουθεί την σειρά αυτού του πεδίου μιας και το {{ic|makepkg}} δεν μπορεί να μαντέψει ποιό checksum ανήκει σε ποιό πηγαίο αρχείο. Μπορείτε γρήγορα και εύκολα να παράγετε τις τιμές του πεδίου αυτού εκτελώντας την εντολή {{ic|makepkg -g}} στον κατάλογο τον οποίο βρίσκεται το αρχείο {{ic|PKGBUILD}}. Ας σημειωθεί ότι ο αλγόριθμος MD5 έχει γνωστές αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού.<br />
<br />
=== sha1sums ===<br />
Μια σειρά από SHA-1 160-bit checksums. Αποτελεί εναλλακτικό των {{ic|md5sums}} που περιγράφονται παραπάνω, όμως είναι επίσης γνωστό ότι έχει αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες {{ic|man makepkg.conf}}.<br />
<br />
=== sha256sums, sha384sums, sha512sums ===<br />
Μια σειρά από SHA-2 checksums με ακολουθίες των 256, 384 και 512 bits αντίστοιχα. Αποτελούν εναλλακτικές των {{ic|md5sums}} που περιγράφηκαν παραπάνω και γενικά πιστεύεται ότι είναι ισχυρότερες. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες man {{ic|man makepkg.conf}}.<br />
<br />
== Δείτε επίσης ==<br />
*[http://pastebin.com/MeXiLDV9 Υπόδειγμα αρχείου PKGBUILD]<br />
*[http://seberm.pastebin.com/gP0tBqvs Υπόδειγμα αρχείου .install]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=210943PKGBUILD (Ελληνικά)2012-06-22T19:28:06Z<p>Foucault: /* checkdepends */</p>
<hr />
<div>[[Category:About Arch (Ελληνικά)]]<br />
[[Category:Package development (Ελληνικά)]]<br />
[[cs:PKGBUILD]]<br />
[[en:PKGBUILD]]<br />
[[es:PKGBUILD]]<br />
[[fa:PKGBUILD]]<br />
[[fr:PKGBUILD]]<br />
[[pl:PKGBUILD]]<br />
[[pt:PKGBUILD]]<br />
[[sr:PKGBUILD]]<br />
[[zh-CN:PKGBUILD]]<br />
[[zh-TW:PKGBUILD]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Το παρόν άρθρο παρέχει μια επεξήγηση των μεταβλητών του PKGBUILD οί οποίες χρησιμοποιούνται κατά την [[Creating Packages|δημιουργία πακέτων]]. Ενα αρχείο PKGBUILD είναι μια δέσμη εντολών η οποία περιγράφει τον τρόπο με τον οποίο το λογισμικό μεταγλωττίζεται και "συσκευάζεται" σε πακέτο. Η συγγραφή συναρτήσεων εγκατάστασης και οι γενικές πληροφορίες σημιουργίας πακέτων καλύπτονται στο [[Creating Packages]] και σε άλλα [[:Category:Package development|package development]] άρθρα}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Package management overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Arch Packaging Standards}}<br />
{{Article summary wiki|Creating Packages}}<br />
{{Article summary wiki|Custom local repository}}<br />
{{Article summary wiki|pacman Tips}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|PKGBUILD(5) Manual Page|https://www.archlinux.org/pacman/PKGBUILD.5.html}}<br />
{{Article summary end}}<br />
<br />
Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.<br />
<br />
=== epoch ===<br />
Μια ακέραια τιμή, ειδική για το Arch Linux, η οποία υπαγορεύει ως προς ποιό 'χρονικό' πρέπει να συγκριθούν οι αριθμοί έκδοσης. Η τιμή αυτή επιτρέπει την παράκαμψη των συνήθων κανόνων σύγκρισης έκδοσης για πακέτα τα οποία έχουν ασυνεπή αρίθμηση έκδοσης, απαιτούν υποβάθμιση, αλλαγή πλαισίου αρίθμησης, κτλ. Εξ'ορισμού, τα πακέτα θεωρείται πως έχουν τιμή epoch ''0''.Μην χρησιμοποιείτε το πεδίο αυτό εκτός και αν γνωρίζετε τι κάνετε.<br />
<br />
=== pkgdesc ===<br />
Περιγραφή του πακέτου. Η έκταση της περιγραφής πρέπει να είναι το πολύ 80 χαρακτήρες και δεν πρέπει να περιλαμβάνει το όνομα του πακέτου με αυτοαναφορικό τρόπο. Για παράδειγμα, "Το Nedit είναι ένας επεξεργαστής κειμένου για το X11" θα έπρεπε να γραφεί ως "ένας επεξεργαστής κειμένου για το X11."<br />
<br />
{{Note|Μην ακολουθείτε αυτόν τον κανόνα αβίαστα όταν υποβάλετε πακέτα στο [[AUR]]. Εάν το όνομα του πακέτου διαφέρει για κάποιο λόγο, απο το όνομα της εφαρμογής, Η ενσωμάτωση του πλήρους ονόματος στην περιγραφή μπορεί να είναι ο μόνος τρόπος να διασφαλιστεί η εύρεση του πακέτου κατά την αναζήτηση.}}<br />
<br />
=== arch ===<br />
Μια σειρά αρχιτεκτονικών στις οποίες είναι γνωστό ότι το αρχείο {{ic|PKGBUILD}} μπορεί να λειτουργήσει. Προς το παρόν, πρέπει να περιέχει {{ic|i686}} ή/και {{ic|x86_64}}, {{ic|1=arch=('i686' 'x86_64')}}. Η τιμή {{ic|any}} μπορεί να χρησιμοποιηθεί για πακέτα ανεξαρτήτου αρχιτεκτονικής.<br />
<br />
Μπορείτε να προσπελάστε την αρχιτεκτονική του συστήματος που απευθύνεστε με την μεταβλητή {{ic|$CARCH}} κατά την διάρκεια της μεταγλώττισης, ακόμα και κατά τον ορισμό μεταβλητών. Δείτε επίσης {{bug|16352}}. Παράδειγμα:<br />
<br />
depends=(foobar)<br />
if test "$CARCH" == x86_64; then<br />
depends+=(lib32-glibc)<br />
fi<br />
<br />
=== url ===<br />
Η διεύθυνση URL της επίσημης ιστοσελίδας του λογισμικού του οποίου το πακέτο δημιουργείται.<br />
<br />
=== license ===<br />
Η άδεια υπό την οποία διανέμεται το λογισμικό. Το πακέτο {{pkg|licenses}} έχει δημιουργηθεί στην ομάδα πακέτων {{ic|[core]}} το οποίο συγκεντρώνει τις κοινά χρησιμοποιούμενες άδειες στον κατάλογο {{ic|/usr/share/licenses/common}}, π.χ. {{ic|/usr/share/licenses/common/GPL}}. Εάν ενα πακέτο έχει διανεμηθεί υπό μιας εκ των προαναφερθέντων αδειών, η τιμή πρέπει να είναι ίση με το όνομα του καταλόγου, π.χ. {{ic|1=license=('GPL')}}. Εαν η ανάλογη άδεια εμπεριέχεται στο επίσημο πακέτο {{Pkg|licenses}}, πρέπει να ακολουθεί η παρακάτω διαδικασία:<br />
<br />
# Το αρχείο(α) άδειας πρέπει να συμπεριληφθεί στο κατάλογο: {{ic|/usr/share/licenses/''pkgname''/}}, π.χ. {{ic|/usr/share/licenses/foobar/LICENSE}}.<br />
# Αν το πηγαίο αρχείο tarball ΔΕΝ περιέχει τις λεπτομέριες αδείας και η άδεια εμφανίζεται μόνο σε κάποια άλλη τοποθεσία, π.χ. μια ιστοσελίδα, τότε θα πρέπει να αντιγράψετε την άδεια σε ένα αρχείο και να το συμπεριλάβετε.<br />
# Προσθέστε το ενδεικτικό {{ic|custom}} στο πεδίο {{ic|license}}. Προαιρετικά, μπορείτε να αντικαταστήσετε το ενδεικτικό {{ic|custom}} με το {{ic|custom:όνομα αδείας}}. Όταν μια άδεια χρησιμοποιηθεί σε δύο ή περισσότερα πακέτα σε επίσημο repository (συμπεριλαμβανομένου του {{ic|[community]}}), προστίθεται στο πακέτο {{Pkg|licenses}}.<br />
* Οι άδειες [[Wikipedia:BSD License|BSD]], [[Wikipedia:MIT License|MIT]], [[Wikipedia:ZLIB license|zlib/png]] και [[Wikipedia:Python License|Python]] είναι ειδικές περιπτώσεις και δεν ήταν δυνατό να συμπεριληφθούν στο πακέτο {{pkg|licenses}}. για την διατήρηση της απλότητας του πεδίου {{ic|license}}, αντιμετωπίζονται σαν κοινή άδεια ({{ic|1=license=('BSD')}}, {{ic|1=license=('MIT')}}, {{ic|1=license=('ZLIB')}} και {{ic|1=license=('Python')}}) αλλά τεχνικά μιλώντας, κάθε μια είναι μια κοινή άδεια διότι κάθε μια ακολουθεί την δική της γραμμή πνευματικών δικαιωμάτων. Οποιαδήποτε πακέτα έχουν αδειοδοτηθεί υπό μια εκ των τεσσάρων αδειών θα πρέπει να έχουν την δική τους μοναδική άδεια αποθηκευμένη στον κατάλογο {{ic|/usr/share/licenses/''pkgname''}}. Κάποια πακέτα μπορεί να μην καλύπτονται απο μια και μόνο άδεια. Σε αυτές τις περιπτώσεις, μπορούν να γίνουν πολλαπλές καταχωρήσεις στο πεδίο license, π.χ. {{ic|1=license=('GPL' 'custom:όνομα αδείας')}}.<br />
* Επιπροσθέτως, η (L)GPL έχει πολλές εκδόσεις και παραλλαγές αυτών. Όσον αφορά το λογισμικό (L)GPL, η σύμβαση είναι:<br />
** (L)GPL - (L)GPLv2 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
** (L)GPL2 - (L)GPL2 μόνο<br />
** (L)GPL3 - (L)GPL3 ή οποιαδήποτε μεταγεννέστερη έκδοση<br />
* Εάν έπειτα από διερεύνηση του θέματος δεν μπορεί να προσδιοριστεί κάποια άδεια, το {{ic|PKGBUILD.proto}} προτείνει την χρήση του ενδεικτικού {{ic|unknown}}. Παρόλα αυτά, το upstream πρέπει να ειδοποιηθεί για τους όρους υπό τους οποίους το λογισμικό είναι ( και δεν είναι) διαθέσιμο.<br />
<br />
{{Tip|Μερικοί προγραμματιστές δεν παρέχουν ξεχωριστο αρχείο και περιγράφουν τους όρους διαμοιρασμού σε τμήμα του κοινώς χρησιμοποιούμενου αρχείου ReadMe.txt. Οι πληροφορίες αυτές μπορουν να εξαχθουν σε ξεχωριστό αρχείο κατά την διάρκεια της φάσης {{Ic|μεταγλώττισης}} με την χρήση άνάλογης εντολής με την: {{Ic|sed -n '/'''This software'''/,/''' thereof.'''/p' ReadMe.txt > LICENSE}}.}}<br />
<br />
=== groups ===<br />
Η ομάδα στη οποία ανήκει το πακέτο. Για παράδειγμα, όταν εγκαταστήσετε το πακέτο {{Pkg|kdebase}}, εγκαθίστανται όλα τα πακέτα τα οποία ανήκουν στην ομάδα {{Grp|kde}.<br />
<br />
=== depends ===<br />
Μια σειρά ονομάτων πακέτων τα ιποία πρέπει να εγκατασταθούν πριν να μπορέσει το εν λόγω λογισμικό να εκτελεστεί. Αν κάποιο λογισμικό απαιτεί την ύπαρξη μιας ελάχιστης έκδοσης κάποιας εξάρτησης, ο τελεστής {{ic|1=>=}} θα πρέπει να χρησιμοποιηθεί για να υποδείξει αυτήν την απαίτηση, π.χ. {{ic|1=depends=('foobar>=1.8.0')}}. δεν χρειάζεται να παραθέσετε τα πακέτα απο τα οποία εξαρτάται το λογισμικό σας εάν άλλα πακέτα από τα οποία εξαρτάται το λογισμικό σας έχουν ήδη ορίσει τα πακέτα αυτά ως εξαρτήσεις τους. Επί παραδείγματι, το πακέτο {{pkg|gtk2}} εξαρτάται από το πακέτο {{pkg|glib2}} και το πακέτο {{pkg|glibc}}. Όμως, το πακέτο {{pkg|glibc}} δεν χρειάζεται να παρατεθεί ως εξάρτηση για το πακέτο {{pkg|gtk2}} διότι είναι μια εκ των εξαρτήσεων του πακέτου {{pkg|glib2}}.<br />
<br />
===makedepends===<br />
Μια σειρά ονομάτων πακέτων τα οποία πρέπει να εγκατασταθούν για να είναι δυνατή η μεταγλώττιση του λογισμικού αλλά δεν είναι απαραίτητα για την χρήση του μετά την εγκατάσταση. Μπορείτε να ορίσετε την ελάχιστη έκδοση εξάρτησης των πακέτων με τον ίδιο τρόπο που περιγράφηκε στην παράγραφο {{ic|depends}}.<br />
<br />
{{Warning|Η ομάδα πακέτων {{Grp|base-devel}} θεωρείται εγκατεστημένη κατά την μεταγλώττιση με το makepkg . Τα μέλη της ομάδας πακέτων "base-devel" '''δεν θα πρέπει''' να συμπεριλαμβάνονται στο πεδίο {{ic|makedepends}}}}.<br />
<br />
=== checkdepends ===<br />
Μια σειρά πακέτων από τα οποία εξαρτάται το εν λόγω πακέτο ώστε να εκτελέσει την σειρά δοκιμών του τα οποία όμως δεν χρειάζονται κατά την κανονική εκτέλεση. Τα πακέτα που παραθέτονται σε αυτή την λίστα ακολουθούν το ίδιο πρότυπο με το πεδίο depends. Αυτές οι εξαρτήσεις λαμβάνονται υπόψη μόνο όταν η συνάρτηση [[Creating Packages#The check() function|check()]] είναι παρούσα και πρόκειται να εκτελεστεί από το makepkg.<br />
<br />
=== optdepends ===<br />
Μια σειρά ονομάτων πακέτων τα οποία δεν χρειάζονται για την λειτουργικότητα του λογισμικού αλλά παρέχουν επιπρόσθετα χαρακτηριστικά. Μια σύντομη περιγραφή του τι παρέχει το κάθε πακέτο πρέπει επίσης να σημειωθεί. Ένα πεδίο {{ic|optdepends}} μπορεί να έχει την εξής μορφή:<br />
optdepends=('cups: printing support'<br />
'sane: scanners support'<br />
'libgphoto2: digital cameras support'<br />
'alsa-lib: sound support'<br />
'giflib: GIF images support'<br />
'libjpeg: JPEG images support'<br />
'libpng: PNG images support')<br />
<br />
=== provides ===<br />
Μια σειρά ονομάτων πακέτων (ή ενα εικονικό πακέτο όπως το {{Ic|cron}} η το {{Ic|sh}}) των οποίων τα χαρακτηριστικά παρέχει το τρέχον πακέτο. Πακέτα τα οποία παρέχουν τα ίδια πράγματα μπορούν να εγκατασταθούν ταυτόχρονα εκτός εάν συγκρούονται μεταξύ τους (δείτε παρακάτω). Εάν χρησιμοποιήσετε την μεταβλητή αυτή, θα πρέπει να προσθέσετε την έκδοση ({{ic|pkgver}} και ίσως την {{ic|pkgrel}}) την οποία θα παράσχει αυτό το πακέτο εαν οι εξαρτήσεις επηρρεαζονται από αυτό. Για παράδειγμα, Αν παρέχετε μια προσαρμοσμένη έκδοση του πακέτου ''qt'' με όνομα ''qt-foobar'' έκδοση 3.3.8 η οποία παρέχει το πακέτο ''qt'' τότε το πεδίο {{ic|provides}} θα πρέπει να είναι κάπως έτσι {{ic|1=provides=('qt=3.3.8')}}. Εαν χρησιμοποιούσαμε το {{ic|1=provides=('qt')}} θα αποτύγχαναν να ικανοποιηθούν εκείνες οι εξαρτήσεις οι οποίες απαιτούν μια συγκεκριμένη έκδοση του ''qt''. Μην προσθέσετε το πεδίο {{ic|pkgname}} στο πεδίο provides , διότι γίνεται αυτόματα.<br />
<br />
=== conflicts ===<br />
Μία σειρά ονομάτων πακέτων τα οποία μπορεί να δημιουργήσουν προβλήματα με το τρέχον πακέτο εάν εγκατασταθεί. Το Πακέτο με αυτό το όνομα και όλα τα πακέτα που {{Ic|παρέχει}} όπως εκονικά πακέτα με αυτό το όνομα, θα αφαιρεθούν. Μπορείτε να ορίσετε τις ιδιότητες έκδοσης των συγκρουόμενων πακέτων όπως και στο πεδίο {{ic|depends}}.<br />
<br />
=== replaces ===<br />
Μια σειρά παρωχημένων ονομάτων πακέτων τα οποία αντικαθίστανται από το τρέχον πακέτο, π.χ. {{ic|1=replaces=('ethereal')}} αντικαθίσταται με το πακέτο {{pkg|wireshark}}. μετά τον συγχρονισμό η εντολή {{ic|pacman -Sy}}, θα αντικαταστήσει άμεσα ένα εγκατεστημένο πακέτο μόλις εντοπίσει κάποιο άλλο πακέτο με την κατάλληλη ετικέτα {{ic|replaces}} στα αποθετήρια. Αν παρέχετε μια εναλλακτική έκδοση για ένα ήδη υπάρχον ένα άλλο πακέτο, Χρησιμοποιείστε την μεταβλητή {{ic|conflicts}} η οποία λαμβάνεται υπόψη μόνο κατά την εγκατάσταση του συγκρουόμενου πακέτου.<br />
<br />
=== backup ===<br />
Μια σειρά αρχείων τα οποία περιέχουν τροποποιήσεις των χρηστών του συστήματος και θα πρέπει να διατηρηθούν κατά την αναβάθμιση η την απομάκρυνση ενός πακέτου, αποσκοπεί κυρίως σε αρχεία ρυθμίσεων στον κατάλογο {{ic|/etc}}.<br />
<br />
Κατά την αναβάθμιση, η νέα έκδοση μπορεί να αποθηκευτεί ως {{ic|file.pacnew}} ώστε να αποφευχθεί η αντικατάσταση ενός αρχείου που υπάρχει ήδη και έχει τροποποιηθεί απο τον χρήστη. Ομοίως, όταν το πακέτο απομακρύνεται, το τροποποιημένο από το χρήστη αρχείο θα διατηρηθεί ως {{ic|file.pacsave}} εκτός και αν το πακέτο απομακρύνθηκε με την εντολή {{ic|pacman -Rn}}. <br />
<br />
Οι διαδρομές των αρχείων σε αυτό το πεδίο θα πρέπει να είναι σχετικές διαδρομές (π.χ. {{ic|etc/pacman.conf}}) και όχι απόλυτες (π.χ. {{ic|/etc/pacman.conf}}). Δείτε επίσης [[Pacnew and Pacsave Files]].<br />
<br />
=== options ===<br />
Αυτό το πεδίο σας επιτρέπει να παρακάμψετε ένα μέρος της προκαθορισμένης συμπεριφοράς του makepkg, ορισμένη στο αρχείο /etc/makepkg.conf. Για να ορίσετε μια επιλογή, προσθέστε το όνομα της επιλογής στο πεδίο. Για να αντιστρέψετε την προκαθορισμένη επιλογή , εισάγετε ένα ! στην αρχή της επιλογής. Οι ακόλουθες επιλογές μπορούν να προστεθούν στο πεδίο:<br />
<br />
* '''''strip''''' - Αφαιρεί σύμβολα από εκτελέσιμα αρχεία και βιβλιοθήκες. Αν χρησιμοποιείτε συχνά έναν εντοπιστή σφαλμάτων σε προγράμματα η βιβλιοθήκες, ίσως είναι σκόπιμο να απενεργοποιήσετε την επιλογή αυτή.<br />
* '''''docs''''' - Αποθηκεύει καταλόγους {{ic|/doc}}.<br />
* '''''libtool''''' - Διατηρεί τα αρχεία ''libtool'' ({{ic|.la}}) στα πακέτα.<br />
* '''''emptydirs''''' - Διατηρεί τους κενούς καταλόγους στα πακέτα.<br />
* '''''zipman''''' - Συμπιέζει τις σελίδες ''man'' και ''info'' με την εφαρμογή ''gzip''.<br />
* '''''ccache''''' - Επιτρέπει την χρήση {{ic|ccache}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!ccache}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|ccache}} ενεργή.<br />
* '''''distcc''''' - Επιτρέπει την χρήση {{ic|distcc}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!distcc}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με την επιλογή {{ic|distcc}} ενεργή.<br />
* '''''buildflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|buildflags}} (CFLAGS, CXXFLAGS, LDFLAGS) κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!buildflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|buildflags}}.<br />
* '''''makeflags''''' - Επιτρέπει την χρήση ορισμένων από τον χρήστη {{ic|makeflags}} κατά την δημιουργία του πακέτου. Χρησιμεύει περισσότερο στη αρνητική του μορφή {{ic|!makeflags}} με συγκεκριμένα πακέτα που αντιμετωπίζουν προβλήματα κατα την δημιουργία τους με τροποποιημένες {{ic|makeflags}}.<br />
<br />
=== install ===<br />
Το όνομα της δέσμης εντολών {{ic|.install}} η οποία θα συμπεριληφθεί στο πακέτο. Το pacman έχει την δυνατότητα να αποθηκεύει και να εκτελεί μια δέσμη εντολών ανά πακέτο κατά την εγκατάσταση, την απομάκρυνση η την αναβάθμιση ενός πακέτου. Η δέσμη εντολών περιέχει τις ακόλουθες συναρτήσεις οι οποίες εκτελούνται σε διάφορες χρονικές στιγμές:<br />
<br />
* '''''pre_install''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν εξαχθούν τα αρχεία. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''post_install''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την εξαγωγή των αρχείων. Δέχεται ένα όρισμα: η νέα έκδοση του πακέτου.<br />
* '''''pre_upgrade''''' - Η δέσμη εντολών εκτελείται πρίν εξαχθούν τα αρχεία. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''post_upgrade''''' - Η δέσμη εντολών εκτελείται μετά την εξαγωγή των αρχείων. Δέχεται δύο ορίσματα κατά σειρά: η νέα έκδοση του πακέτου, η παλαιά έκδοση του πακέτου.<br />
* '''''pre_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς πρίν απομακρυνθούν τα αρχεία. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
* '''''post_remove''''' - Η δέσμη εντολών εκτελείται ακριβώς μετά την απομάκρυνση των αρχείων. Δέχεται ένα όρισμα: η παλαιά έκδοση του πακέτου.<br />
<br />
Κάθε συνάρτηση εκτελείται υπό αλλάγή ριζικού καταλόγου (chroot) μέσα στον κατάλογο εγκατάστασης του pacman. Δείτε [https://bbs.archlinux.org/viewtopic.php?pid=913891 το νήμα].<br />
<br />
{{Tip|Ένα πρότυπο αρχείο {{ic|.install}} παρέχεται στην διαδρομή {{ic|/usr/share/pacman/proto.install}}.}}<br />
<br />
=== changelog ===<br />
Το όνομα του αρχείου καταγραφής αλλάγών του πακέτου. Για να δείτε το αρχείο καταγραφής εγκατεστημένων πακέτων (δεδομένου οτι παρέχουν τέτοιο αρχείο):<br />
pacman -Qc ''pkgname''<br />
<br />
{{Tip|Ένα πρότυπο αρχείου κατάγραφής αλλαγών παρέχεται στην διαδρομή {{ic|/usr/share/pacman/ChangeLog.proto}}.}}<br />
<br />
=== source ===<br />
Μια σειρά αρχείων τα οποία χρειάζονται για την δημιουργία του πακέτου. Πρέπει να περιέχει την τοποθεσία των πηγαίων αρχείων του λογισμικού, τα οποία συνήθως βρίσκονται σε μια πλήρη διεύθυνση HTTP ή FTP. Οι μεταβλητές που ορίστηκαν προηγουμένως {{ic|pkgname}} και {{ic|pkgver}} μπορούν να χρησιμοποιηθούν εδώ (π.χ. {{ic|<nowiki>source=(http://example.com/$pkgname-$pkgver.tar.gz)</nowiki>}})<br />
<br />
{{Note|Αν πρέπει να παράσχετε αρχεία τα οποία δεν είναι άμεσα διαθέσιμα προς μεταφόρτωση, π.χ. ιδιόχειρες διορθώσεις, απλά τοποθετήστε τα στον ίδιο κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}} και προσθέστε το όνομα αρχείου στο πεδίο αυτό. Οποιεσδήποτε διαδρομές προστεθούν εδώ επιλύονται σε σχέση με τον κατάλογο που βρίσκεται το αρχείο {{ic|PKGBUILD}}. Πριν ξεκινήσει η πραγματική διαδικασία δημιουργίας του πακέτου, όλα τα αρχεία που αναφέρονται στο πεδίο αυτό θα μεταφορτωθούν ή θα ελεγχθεί η ύπαρξη τους, και το {{ic|makepkg}} δεν θα συνεχίσει εάν λείπουν.}}<br />
<br />
{{Tip|Μπορείτε να ορίσετε κάποιο διαφορετικό όνομα για το αρχείο που μεταφορτώθηκε - Αν το αρχείο που μεταφορτώθηκε για κάποιο λόγο έχει διαφορετικό όνομα όπως, το URL να έχει μια GET παράμετρο - ακολουθώντας την παρακάτω σύνταξη: {{Ic|''filename''::''fileuri''}}, για παράδειγμα {{Ic|$pkgname-$pkgver.zip::<nowiki>http://199.91.152.193/7pd0l2tpkidg/jg2e1cynwii/Warez_collection_16.4.exe</nowiki>}}}}<br />
<br />
=== noextract ===<br />
Μια σειρά αρχείων τα οποία παραθέτονται στο πεδίο {{ic|source}}, δεν πρέπει να εξαχθούν από την συμπιεσμένη τους μορφή με το {{ic|makepkg}}. Εφαρμόζεται κυρίως σε συγκεκριμένα αρχεία zip τα οποία δεν μπορεί να χειριστεί το {{ic|/usr/bin/bsdtar}} διότι το {{Pkg|libarchive}} αντιμετωπίζει όλα τα αρχεία ως ροές σε αντίθεση με το {{Pkg|unzip}} που ακολουθεί την λογική της τυχαίας προσπέλασης. Σε αυτές τις περιπτώσεις το {{ic|unzip}} πρέπει να παρατίθεται στο πεδίο {{ic|makedepends}} και η πρώτη γραμμή της συνάρτησης [[Creating Packages#The build() function|build()]] πρέπει να περιέχει:<br />
<br />
cd "$srcdir/$pkgname-$pkgver"<br />
unzip [source].zip<br />
<br />
Ας σημειωθεί ότι ενώ το πεδίο {{ic|source}} δέχεται URLs, το {{ic|noextract}} αντιπροσωπεύει '''απλά''' το κομμάτι του ονόματος αρχείου . Επί παραδείγματι, θα κάνατε κάτι σαν αυτό (απλοποιημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/grub2&id=f054e33a0b5cbdfe7d81e91a8c4c807a9bfaa124 PKGBUILD] του grub2 ):<br />
<br />
source=(<nowiki>"http://ftp.archlinux.org/other/grub2/grub2_extras_lua_r20.tar.xz"</nowiki>)<br />
noextract=("grub2_extras_lua_r20.tar.xz")<br />
<br />
Για να μην εξάγετε ''τίποτα'', μπορείτε να κάνετε κάτι έξυπνο όπως (υιοθετημένο από το αρχείο [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox-i18n&id=cb10a40aeda9b444285d1ae6959c344110b4c936 firefox-i18n]):<br />
<br />
noextract=(${source[@]##*/})<br />
<br />
{{Note|Μια πιο συντηρητική υποκατάσταση Bash θα περιελάμβανε εισαγωγικά, η πιθανώς ένα βρόγχο ο οποίος καλεί την {{ic|basename}}. Εάν έχετε διαβάσει ως εδώ θα πρέπει να αντιλαμβάνεστε το νόημα.}}<br />
<br />
=== md5sums ===<br />
Μια σειρά από MD5 checksums των αρχείων που παραθέτονται στο πεδίο {{ic|source}}. Μόλις όλα τα αρχεία του πεδίου {{ic|source}} είναι διαθέσιμα, Ενα MD5 hash για κάθε αρχείο θα παραχθεί αυτόματα και θα συγκριθεί με τις τιμές αυτού του πεδίου μετην ίδια σειρά που εμφανίζονται στο πεδίο {{ic|source}}. Ενώ η σειρά των πηγαίων αρχείων δεν έχει σημασία, είναι σημαντικό να ακoλουθεί την σειρά αυτού του πεδίου μιας και το {{ic|makepkg}} δεν μπορεί να μαντέψει ποιό checksum ανήκει σε ποιό πηγαίο αρχείο. Μπορείτε γρήγορα και εύκολα να παράγετε τις τιμές του πεδίου αυτού εκτελώντας την εντολή {{ic|makepkg -g}} στον κατάλογο τον οποίο βρίσκεται το αρχείο {{ic|PKGBUILD}}. Ας σημειωθεί ότι ο αλγόριθμος MD5 έχει γνωστές αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού.<br />
<br />
=== sha1sums ===<br />
Μια σειρά από SHA-1 160-bit checksums. Αποτελεί εναλλακτικό των {{ic|md5sums}} που περιγράφονται παραπάνω, όμως είναι επίσης γνωστό ότι έχει αδυναμίες, οπότε θα πρέπει να σκεφτείτε την χρήση ενός ισχυρότερου εναλλακτικού. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες {{ic|man makepkg.conf}}.<br />
<br />
=== sha256sums, sha384sums, sha512sums ===<br />
Μια σειρά από SHA-2 checksums με ακολουθίες των 256, 384 και 512 bits αντίστοιχα. Αποτελούν εναλλακτικές των {{ic|md5sums}} που περιγράφηκαν παραπάνω και γενικά πιστεύεται ότι είναι ισχυρότερες. Για να ενεργοποιήσετε την χρήση και την παραγωγή αυτών των checksums, σιγουρευτείτε ότι ρυθμίσατε την επιλογή {{ic|INTEGRITY_CHECK}} στο αρχείο {{ic|/etc/makepkg.conf}}. Δείτε τις σελίδες man {{ic|man makepkg.conf}}.<br />
<br />
== Δείτε επίσης ==<br />
*[http://pastebin.com/MeXiLDV9 Υπόδειγμα αρχείου PKGBUILD]<br />
*[http://seberm.pastebin.com/gP0tBqvs Υπόδειγμα αρχείου .install]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=PKGBUILD_(%CE%95%CE%BB%CE%BB%CE%B7%CE%BD%CE%B9%CE%BA%CE%AC)&diff=209389PKGBUILD (Ελληνικά)2012-06-15T20:32:33Z<p>Foucault: Created page with "Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας δημιουργίας πακέτων του [[Arch L..."</p>
<hr />
<div>Το '''PKGBUILD''' είναι το αρχείο περιγραφής της διαδικασίας [[Creating Packages|δημιουργίας πακέτων]] του [[Arch Linux]].<br />
<br />
Τα πακέτα στο Arch Linux δημιουργούνται με το εργαλείο [[makepkg]] και οι πληροφορίες για τη δημιουργία τους βρίσκονται στο αρχείο PKGBUILD. Όταν εκτελείται η εντολή '''makepkg''', το πρόγραμμα ψάχνει για ένα αρχείο {{Ic|PKGBUILD}} στον τρέχον κατάλογο και ακολουθεί τις οδηγίες είτε για την μεταγλώττιση είτε για την ανάκτηση των αρχείων που απαιτούνται για τη δημιορυγία του πακέτου ({{ic|''pkgname''.pkg.tar.xz}}) το οποίο τελικά θα περιέχει όλα τα binary αρχεία καθώς και τις οδηγίες εγκατάστασης και μπορεί πλέον να εγκατασταθεί απευθείας μέσω του [[pacman]].<br />
<br />
== Μεταβλητές ==<br />
Οι παρακάτω μεταβλητές μπορούν να συμπληρωθούν στο αρχείο PKGBUILD.<br />
<br />
Είναι συνήθης πρακτική να ορίζει κανείς τις μεταβλητές με την ίδια σειρά με την οποία παρουσιάζονται εδώ. Ωστόσο, αυτό δεν είναι αναγκαστικό, εφόσον χρησιμοποιείται ορθή σύνταξη [[Bash]].<br />
<br />
=== pkgname ===<br />
Το όνομα του πακέτου. Πρέπει να περιέχει ''είτε αλφαριθμητικούς χαρακτήρες και/ή τους χαρακτήρες @ . _ + - (at, τελεία, underscore, συν, παύλα)''. Όλοι οι χαρακτήρες πρέπει να είναι ''πεζοί'' ενώ τα ονόματα ''δεν πρέπει να ξεκινάνε με παύλες''. Για λόγους συνοχής, το {{ic|pkgname}} πρέπει να αντιστοιχεί στο όνομα που χρησιμοποείται στο tarball του πηγαίου κώδικα του προγράμματος για το οποίο προορίζεται το PKGBUILD. Για παράδειγμα, αν ο πηγαίος κώδικας του προγράμματος διαμοιράζεται ως {{ic|foobar-2.5.tar.gz}} τότε η μεταβλητή {{ic|pkgname}} πρέπει να είναι {{Ic|foobar}}. Ο τρέχον ενεργός κατάλογος στον οποίο βρίσκεται το PKGBUILD πρέπει επίσης να ταιριάζει με το {{ic|pkgname}}.<br />
<br />
=== pkgver ===<br />
Η τρέχουσα έκδοση του πακέτου. Αυτή η τιμή πρέπει να είναι ίδια με την έκδοση την οποία δημοσίευσε ο προγραμματιστής του πακέτου. Μπορεί να περιέχει χαρακτήρες, αριθμούς και τελείες αλλά '''δεν''' πρέπει να περιέχει παύλες. Αν ο αρχικός προγραμματιστής χρησιμοποιεί παύλες στην έκδοση του πακέτου, τότε αυτές πρέπει να αντικατασταθούν με underscore. Για παράδειγμα, αν η έκδοση είναι ''0.99-10'' τότε πρέπει να αλλαχτεί σε ''0.99_10''. Αν η μεταβλητή {{ic|pkgver}} χρησιμοποείται μετέπειτα στο PKGBUILD τότε το underscore μπορεί εύκολα να αντικατασταθεί. Για παράδειγμα:<br />
source=($pkgname-${pkgver//_/-}.tar.gz)<br />
<br />
=== pkgrel ===<br />
Ο αριθμός έκδοσης του πακέτου, ο οποίος αφορά το Arch Linux. Αυτή η μεταβλητή επιτρέπει στους χρήστες να διαφοροποιούν συνεχόμενα builds της ίδιας έκδοσης του πακέτου. Όταν βγαίνει μια νέα έκδοση του πακέτου ή ένα πακέτο δημιουργείται πρώτη φορά τότε το {{ic|pkgrel}} '''πρέπει να είναι 1'''. Καθώς βγαίνουν διορθώσεις ή βελτιστοποιήσεις στο PKGBUILD το {{ic|pkgrel}} αυξάνει κατά ένα και το πακέτο επαναδημοσιεύεται.</div>Foucaulthttps://wiki.archlinux.org/index.php?title=SLiM&diff=103286SLiM2010-04-14T16:16:15Z<p>Foucault: /* SLiM and Gnome Keyring */</p>
<hr />
<div>[[Category:Display managers (English)]]<br />
{{i18n|SLiM}}<br />
{{Article summary start}}<br />
{{Article summary text|Provides an overview of the Simple Login Manager.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Display Manager}}<br />
{{Article summary end}}<br />
[http://slim.berlios.de/ SLiM] is an acronym for Simple Login Manager. SLiM is simple, lightweight and easily configurable. SLiM is used by some because it does not require the dependencies of [[GNOME]] or [[KDE]] and can help make a lighter system for users that like to use lightweight desktops like [[Xfce]], [[Openbox]], and [[Fluxbox]].<br />
<br />
== Installation ==<br />
<br />
Install SLiM from the '''extra''' repository:<br />
<br />
# pacman -S slim<br />
<br />
== Configuration ==<br />
<br />
=== Enabling SLiM ===<br />
<br />
SLiM can be loaded on startup by entering it in your daemons array in {{Filename|rc.conf}} or by modifying {{Filename|inittab}}. See [[Display Manager]] for detailed instructions.<br />
<br />
=== Single environments ===<br />
<br />
To configure SLiM to load a particular environment, edit your {{Filename|~/.xinitrc}} to load your desktop environment:<br />
<br />
<pre><br />
#!/bin/sh<br />
<br />
#<br />
# ~/.xinitrc<br />
#<br />
# Executed by startx (run your window manager from here)<br />
#<br />
<br />
exec [session-command]<br />
</pre><br />
<br />
SLiM reads the local {{Filename|~/.xinitrc}} configuration and then launches the desktop according to what is in that file. If you do not have have a {{Filename|~/.xinitrc}} file, you can use the skeleton file by:<br />
<br />
$ cp /etc/skel/.xinitrc $HOME<br />
<br />
Replace {{Codeline|[session-command]}} with the appropriate session command. Some examples of different desktop start commands:<br />
<br />
<pre><br />
exec awesome<br />
exec fluxbox<br />
exec fvwm2<br />
exec gnome-session<br />
exec openbox-session<br />
exec startkde<br />
exec startlxde<br />
exec startxfce4<br />
</pre><br />
<br />
If your environment is not listed here, refer to the appropriate wiki page.<br />
<br />
=== PolicyKit ===<br />
<br />
If you have problems with the PolicyKit, use ConsoleKit's {{Codeline|ck-launch-session}}:<br />
<br />
<pre><br />
#!/bin/sh<br />
<br />
#<br />
# ~/.xinitrc<br />
#<br />
# Executed by startx (run your window manager from here)<br />
#<br />
<br />
exec ck-launch-session [session-command]<br />
</pre><br />
<br />
=== Multiple environments ===<br />
<br />
To be able to choose from multiple desktop environments, SLiM can be setup to log you into whichever you choose.<br />
<br />
Put a case statement similar to this one in your {{Filename|~/.xinitrc}} file and edit the sessions variable in {{Filename|/etc/slim.conf}} to match the names that trigger the case statement. You can choose the session at login time by pressing F1. Note that this feature is experimental.<br />
<br />
<pre><br />
# The following variable defines the session which is started if the user doesn't explicitly select a session<br />
# Source: http://svn.berlios.de/svnroot/repos/slim/trunk/xinitrc.sample<br />
<br />
DEFAULT_SESSION=twm<br />
<br />
case $1 in<br />
kde)<br />
exec startkde<br />
;;<br />
xfce4)<br />
exec startxfce4<br />
;;<br />
icewm)<br />
icewmbg &<br />
icewmtray &<br />
exec icewm<br />
;;<br />
wmaker)<br />
exec wmaker<br />
;;<br />
blackbox)<br />
exec blackbox<br />
;;<br />
*)<br />
exec $DEFAULT_SESSION<br />
;;<br />
esac<br />
</pre><br />
<br />
=== Themes ===<br />
<br />
Install the {{Package Official|slim-themes}} package:<br />
<br />
# pacman -S slim-themes archlinux-themes-slim<br />
<br />
The {{Package Official|archlinux-themes-slim}} packages contains several different themes. Look in the directory of {{Filename|/usr/share/slim/themes}} to see the themes available. Enter the theme name on the 'current_theme' line in {{Filename|/etc/slim.conf}}:<br />
<br />
#current_theme default<br />
current_theme archlinux-simplyblack<br />
<br />
To preview a theme run if no instance of the Xorg server is running by:<br />
<br />
$ slim -p /usr/share/slim/themes/<theme name><br />
<br />
To close, type "exit" in the Login line and press Enter.<br />
<br />
Additional theme packages can be found in the [[AUR]].<br />
<br />
==== Dual screen setup ====<br />
<br />
You can customize the slim theme in /usr/share/slim/themes/<your-theme>/slim.theme to turn these percents values. The box itself is 450 pixels by 250 pixels:<br />
<br />
input_panel_x 50%<br />
input_panel_y 50%<br />
<br />
into pixels values:<br />
<br />
# These settings set the "archlinux-simplyblack" panel in the center of a 1440x900 screen<br />
input_panel_x 495<br />
input_panel_y 325<br />
<br />
# These settings set the "archlinux-retro" panel in the center of a 1680x1050 screen<br />
input_panel_x 615<br />
input_panel_y 400<br />
<br />
If your theme has a background picture you should use the background_style setting ('stretch', 'tile', 'center' or 'color') to get it correctly displayed. Have a look at the [http://slim.berlios.de/themes_howto.php very simple and clear official documentation about slim themes] for further details.<br />
<br />
== Other options ==<br />
<br />
A few things you might like to try.<br />
<br />
=== Changing the cursor ===<br />
<br />
If you want to change the default X cursor to a newer design, the {{Package AUR|slim-cursor}} package is available.<br />
<br />
After installing, edit {{Filename|/etc/slim.conf}} and uncomment the line:<br />
<br />
cursor left_ptr<br />
<br />
This will give you a normal arrow instead. This setting is forwarded to {{Codeline|xsetroot -cursor_name}}. You can look up the possible cursor names [http://cvsweb.xfree86.org/cvsweb/*checkout*/xc/lib/X11/cursorfont.h?rev=HEAD&content-type=text/plain here] or in {{Filename|/usr/share/icons/<your-cursor-theme>/cursors/}}.<br />
<br />
To change the cursor theme being used at the login screen, make a file named {{Filename|/usr/share/icons/default/index.theme}} with this content:<br />
<br />
[Icon Theme]<br />
Inherits=<your-cursor-theme><br />
<br />
Replace <your-cursor-theme> with the name of the cursor theme you want to use (e.g. whiteglass).<br />
<br />
=== Match SLiM and Desktop Wallpaper ===<br />
<br />
To share a wallpaper between SLiM and your desktop, rename the used theme background, then create a link from your desktop wallpaper file to the default SLiM theme:<br />
<br />
# mv /usr/share/slim/themes/default/background.jpg{,.bck}<br />
# ln -s /path/to/mywallpaper.jpg /usr/share/slim/themes/default/background.jpg<br />
<br />
=== Shutdown, reboot, suspend, exit, launch terminal from SLiM ===<br />
<br />
You may shutdown, reboot, suspend, exit or even launch a terminal from the SLiM login screen. To do so, use the values in the username field, and the root password in the password field:<br />
<br />
* To launch a terminal, enter '''console''' as the username (defaults to xterm which must be installed separately... edit {{Filename|/etc/slim.conf}} to change terminal preference)<br />
* For shutdown, enter '''halt''' as the username<br />
* For reboot, enter '''reboot''' as the username<br />
* To exit to bash, enter '''exit''' as the username<br />
* For suspend, enter '''suspend''' as the username (suspend is disabled by default, edit {{Filename|/etc/slim.conf}} as root to uncomment the {{Filename|suspend_cmd}} line and, if necessary modify the suspend command itself (e.g. change {{Codeline|/usr/sbin/suspend}} to {{Codeline|sudo /usr/sbin/pm-suspend}}))<br />
<br />
=== Power-off error with Splashy ===<br />
<br />
If you use Splashy and SLiM, sometimes you can't power-off or reboot from menu in GNOME, Xfce, LXDE or others. Check your {{Filename|/etc/slim.conf}} and {{Filename|/etc/splash.conf}}; set the DEFAULT_TTY=7 same as xserver_arguments vt07.<br />
<br />
=== Login information with SLiM ===<br />
<br />
By default, SLiM fails to log logins to utmp and wtmp which causes who, last, etc. to misreport login information. To fix this edit your {{Filename|slim.conf}} as follows:<br />
<br />
sessionstart_cmd /usr/bin/sessreg -a -l $DISPLAY %user<br />
sessionstop_cmd /usr/bin/sessreg -d -l $DISPLAY %user<br />
<br />
=== SLiM and Gnome Keyring ===<br />
If you are using SLiM to launch a Gnome session and have trouble accessing your keyring, for example not being automatically authenticated on login, add the following lines to /etc/pam.d/slim (as discussed [http://bugs.archlinux.org/task/18637 here]).<br />
<pre><br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
</pre><br />
<br />
=== Setting DPI with SLiM ===<br />
<br />
The Xorg server generally picks up the DPI but if it doesn't you can specify it to SLiM. If you set the DPI with the argument -dpi 96 in {{Filename|/etc/X11/xinit/xserverrc}} it will not work with SLiM. To fix this change your {{Filename|slim.conf}} from:<br />
<br />
xserver_arguments -nolisten tcp vt07 <br />
<br />
to<br />
<br />
xserver_arguments -nolisten tcp vt07 -dpi 96<br />
<br />
=== Use a random theme ===<br />
<br />
Use the current_theme variable as a comma separated list to specify a set to randomly choose from.<br />
<br />
== Resources ==<br />
<br />
* [http://slim.berlios.de/ SLiM homepage]<br />
* [http://slim.berlios.de/manual.php SLiM documentation]</div>Foucaulthttps://wiki.archlinux.org/index.php?title=SLiM&diff=103285SLiM2010-04-14T16:14:33Z<p>Foucault: /* Other options */</p>
<hr />
<div>[[Category:Display managers (English)]]<br />
{{i18n|SLiM}}<br />
{{Article summary start}}<br />
{{Article summary text|Provides an overview of the Simple Login Manager.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Display Manager}}<br />
{{Article summary end}}<br />
[http://slim.berlios.de/ SLiM] is an acronym for Simple Login Manager. SLiM is simple, lightweight and easily configurable. SLiM is used by some because it does not require the dependencies of [[GNOME]] or [[KDE]] and can help make a lighter system for users that like to use lightweight desktops like [[Xfce]], [[Openbox]], and [[Fluxbox]].<br />
<br />
== Installation ==<br />
<br />
Install SLiM from the '''extra''' repository:<br />
<br />
# pacman -S slim<br />
<br />
== Configuration ==<br />
<br />
=== Enabling SLiM ===<br />
<br />
SLiM can be loaded on startup by entering it in your daemons array in {{Filename|rc.conf}} or by modifying {{Filename|inittab}}. See [[Display Manager]] for detailed instructions.<br />
<br />
=== Single environments ===<br />
<br />
To configure SLiM to load a particular environment, edit your {{Filename|~/.xinitrc}} to load your desktop environment:<br />
<br />
<pre><br />
#!/bin/sh<br />
<br />
#<br />
# ~/.xinitrc<br />
#<br />
# Executed by startx (run your window manager from here)<br />
#<br />
<br />
exec [session-command]<br />
</pre><br />
<br />
SLiM reads the local {{Filename|~/.xinitrc}} configuration and then launches the desktop according to what is in that file. If you do not have have a {{Filename|~/.xinitrc}} file, you can use the skeleton file by:<br />
<br />
$ cp /etc/skel/.xinitrc $HOME<br />
<br />
Replace {{Codeline|[session-command]}} with the appropriate session command. Some examples of different desktop start commands:<br />
<br />
<pre><br />
exec awesome<br />
exec fluxbox<br />
exec fvwm2<br />
exec gnome-session<br />
exec openbox-session<br />
exec startkde<br />
exec startlxde<br />
exec startxfce4<br />
</pre><br />
<br />
If your environment is not listed here, refer to the appropriate wiki page.<br />
<br />
=== PolicyKit ===<br />
<br />
If you have problems with the PolicyKit, use ConsoleKit's {{Codeline|ck-launch-session}}:<br />
<br />
<pre><br />
#!/bin/sh<br />
<br />
#<br />
# ~/.xinitrc<br />
#<br />
# Executed by startx (run your window manager from here)<br />
#<br />
<br />
exec ck-launch-session [session-command]<br />
</pre><br />
<br />
=== Multiple environments ===<br />
<br />
To be able to choose from multiple desktop environments, SLiM can be setup to log you into whichever you choose.<br />
<br />
Put a case statement similar to this one in your {{Filename|~/.xinitrc}} file and edit the sessions variable in {{Filename|/etc/slim.conf}} to match the names that trigger the case statement. You can choose the session at login time by pressing F1. Note that this feature is experimental.<br />
<br />
<pre><br />
# The following variable defines the session which is started if the user doesn't explicitly select a session<br />
# Source: http://svn.berlios.de/svnroot/repos/slim/trunk/xinitrc.sample<br />
<br />
DEFAULT_SESSION=twm<br />
<br />
case $1 in<br />
kde)<br />
exec startkde<br />
;;<br />
xfce4)<br />
exec startxfce4<br />
;;<br />
icewm)<br />
icewmbg &<br />
icewmtray &<br />
exec icewm<br />
;;<br />
wmaker)<br />
exec wmaker<br />
;;<br />
blackbox)<br />
exec blackbox<br />
;;<br />
*)<br />
exec $DEFAULT_SESSION<br />
;;<br />
esac<br />
</pre><br />
<br />
=== Themes ===<br />
<br />
Install the {{Package Official|slim-themes}} package:<br />
<br />
# pacman -S slim-themes archlinux-themes-slim<br />
<br />
The {{Package Official|archlinux-themes-slim}} packages contains several different themes. Look in the directory of {{Filename|/usr/share/slim/themes}} to see the themes available. Enter the theme name on the 'current_theme' line in {{Filename|/etc/slim.conf}}:<br />
<br />
#current_theme default<br />
current_theme archlinux-simplyblack<br />
<br />
To preview a theme run if no instance of the Xorg server is running by:<br />
<br />
$ slim -p /usr/share/slim/themes/<theme name><br />
<br />
To close, type "exit" in the Login line and press Enter.<br />
<br />
Additional theme packages can be found in the [[AUR]].<br />
<br />
==== Dual screen setup ====<br />
<br />
You can customize the slim theme in /usr/share/slim/themes/<your-theme>/slim.theme to turn these percents values. The box itself is 450 pixels by 250 pixels:<br />
<br />
input_panel_x 50%<br />
input_panel_y 50%<br />
<br />
into pixels values:<br />
<br />
# These settings set the "archlinux-simplyblack" panel in the center of a 1440x900 screen<br />
input_panel_x 495<br />
input_panel_y 325<br />
<br />
# These settings set the "archlinux-retro" panel in the center of a 1680x1050 screen<br />
input_panel_x 615<br />
input_panel_y 400<br />
<br />
If your theme has a background picture you should use the background_style setting ('stretch', 'tile', 'center' or 'color') to get it correctly displayed. Have a look at the [http://slim.berlios.de/themes_howto.php very simple and clear official documentation about slim themes] for further details.<br />
<br />
== Other options ==<br />
<br />
A few things you might like to try.<br />
<br />
=== Changing the cursor ===<br />
<br />
If you want to change the default X cursor to a newer design, the {{Package AUR|slim-cursor}} package is available.<br />
<br />
After installing, edit {{Filename|/etc/slim.conf}} and uncomment the line:<br />
<br />
cursor left_ptr<br />
<br />
This will give you a normal arrow instead. This setting is forwarded to {{Codeline|xsetroot -cursor_name}}. You can look up the possible cursor names [http://cvsweb.xfree86.org/cvsweb/*checkout*/xc/lib/X11/cursorfont.h?rev=HEAD&content-type=text/plain here] or in {{Filename|/usr/share/icons/<your-cursor-theme>/cursors/}}.<br />
<br />
To change the cursor theme being used at the login screen, make a file named {{Filename|/usr/share/icons/default/index.theme}} with this content:<br />
<br />
[Icon Theme]<br />
Inherits=<your-cursor-theme><br />
<br />
Replace <your-cursor-theme> with the name of the cursor theme you want to use (e.g. whiteglass).<br />
<br />
=== Match SLiM and Desktop Wallpaper ===<br />
<br />
To share a wallpaper between SLiM and your desktop, rename the used theme background, then create a link from your desktop wallpaper file to the default SLiM theme:<br />
<br />
# mv /usr/share/slim/themes/default/background.jpg{,.bck}<br />
# ln -s /path/to/mywallpaper.jpg /usr/share/slim/themes/default/background.jpg<br />
<br />
=== Shutdown, reboot, suspend, exit, launch terminal from SLiM ===<br />
<br />
You may shutdown, reboot, suspend, exit or even launch a terminal from the SLiM login screen. To do so, use the values in the username field, and the root password in the password field:<br />
<br />
* To launch a terminal, enter '''console''' as the username (defaults to xterm which must be installed separately... edit {{Filename|/etc/slim.conf}} to change terminal preference)<br />
* For shutdown, enter '''halt''' as the username<br />
* For reboot, enter '''reboot''' as the username<br />
* To exit to bash, enter '''exit''' as the username<br />
* For suspend, enter '''suspend''' as the username (suspend is disabled by default, edit {{Filename|/etc/slim.conf}} as root to uncomment the {{Filename|suspend_cmd}} line and, if necessary modify the suspend command itself (e.g. change {{Codeline|/usr/sbin/suspend}} to {{Codeline|sudo /usr/sbin/pm-suspend}}))<br />
<br />
=== Power-off error with Splashy ===<br />
<br />
If you use Splashy and SLiM, sometimes you can't power-off or reboot from menu in GNOME, Xfce, LXDE or others. Check your {{Filename|/etc/slim.conf}} and {{Filename|/etc/splash.conf}}; set the DEFAULT_TTY=7 same as xserver_arguments vt07.<br />
<br />
=== Login information with SLiM ===<br />
<br />
By default, SLiM fails to log logins to utmp and wtmp which causes who, last, etc. to misreport login information. To fix this edit your {{Filename|slim.conf}} as follows:<br />
<br />
sessionstart_cmd /usr/bin/sessreg -a -l $DISPLAY %user<br />
sessionstop_cmd /usr/bin/sessreg -d -l $DISPLAY %user<br />
<br />
=== SLiM and Gnome Keyring ===<br />
If you are using SLiM to launch a Gnome session and have trouble accessing your keyring add the following<br />
lines to /etc/pam.d/slim (as discussed [http://bugs.archlinux.org/task/18637 here])<br />
<pre><br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
</pre><br />
<br />
=== Setting DPI with SLiM ===<br />
<br />
The Xorg server generally picks up the DPI but if it doesn't you can specify it to SLiM. If you set the DPI with the argument -dpi 96 in {{Filename|/etc/X11/xinit/xserverrc}} it will not work with SLiM. To fix this change your {{Filename|slim.conf}} from:<br />
<br />
xserver_arguments -nolisten tcp vt07 <br />
<br />
to<br />
<br />
xserver_arguments -nolisten tcp vt07 -dpi 96<br />
<br />
=== Use a random theme ===<br />
<br />
Use the current_theme variable as a comma separated list to specify a set to randomly choose from.<br />
<br />
== Resources ==<br />
<br />
* [http://slim.berlios.de/ SLiM homepage]<br />
* [http://slim.berlios.de/manual.php SLiM documentation]</div>Foucault