[PLUG] List of problems Debian 9.8.0 server...

Russell Senior russell at personaltelco.net
Wed Mar 20 06:32:42 UTC 2019 

On Tue, Mar 19, 2019 at 8:36 PM Michael Christopher Robinson <
michael at robinson-west.com> wrote:

> > Why are you using wireless on a server?
> Because this server is a gateway/content filter for my lan out to the
> Internet.  I'm looking at reconfiguring the Spectrum Sagemcom wireless
> router and adding another wired network port to the debian box, but I'd
> prefer to turn the Sagemcom in as I don't particularly like it and I
> may be dumping Spectrum because $70/month is a lot of money.  Spectrum
> doesn't offer content filtering and what they do offer requires
> Microsoft Windows.  Useless if you have a smartphone, computer, or
> tablet that doesn't run Windows.  There is a URL list in the Sagemcom,
> but that is highly ineffective and not realistic if you need real
> content filtering.  I'm running e2guardian which is supported on 64
> bit AMD computers running Debian Stretch...  my Pi 3 won't run
> e2guardian.  Wireless is needed by Android smartphones and a lot of
> tablets that cannot make wired connections.
>
> > > 7 port USB2 hub not detecting at all.
> It says made in China where I wasn't aware that USB 2.0 hubs require
> special drivers in Linux.  Doesn't even show up when I do lsusb.  I
> figure a powered hub that isn't made of metal will not block wifi
> signals and it's powered so maybe the wifi signal will be stronger,
> important if you are trying to create a hotspot.
>

They don't require a special driver. Something else is wrong.


> > > The iptables rules are not loading at all at boot.
> /etc/iptables/rules.v4 ... Is this the wrong place for that file?
> Without masquerading in the nat table, there is no access at all
> to the Internet for lan clients.  Maybe I need squid, transparent
> proxying, and no masquerading.
>

I don't use debian for routing anymore, so I'm useless here.

I can, however, recite from memory the iptables rule for Masquerading:

  iptables -t nat -I POSTROUTING -o $WANIF -j MASQUERADE

Where $WANIF is your wan interface (or whatever the outbound interface you
want the network address translation to occur on, typically your WAN).


>
> > > isc-dhcp-server has to be restarted after wireless card brought up.
> Because the driver for it taints the kernel, there are potential issues
> with getting the wireless card up at all at boot time.  Without dhcp,
> you can't get an ip address on a smartphone/tablet trying to connect
> via wifi.
>

Clients will normally renew a lease about half way through the lease time.
Requesting a lease renewal is something the client is in charge of.


>
> > > Stuck plugging into server case front panel USB ports Linksys
> > > wireless adapter which blocks the wifi signal because the case is
> > > metal.
> Because the USB hub doesn't work, this is a significant issue.  See
> above.
>

There are such things as USB extension cables. They can be up to 15 feet
(or 5 meters), or longer if there is an active component to repeat the USB
signal.


>
> > > Yubikey not set up.
> I have a blue Yubikey security key that I want to require the presence
> of if you want to log in as root and I want to disable ssh to root and
> entering a mere password to get root.  I'm hoping to implement a policy
> of no access to root without the physical key.  If you want to be root,
> plug in and tap the Yubikey.
>

It sounds like you have one of the FIDO U2F yubikeys. I have no idea how to
set that up. It would probably involve PAM (pluggable authentication
modules). Maybe this would help: https://github.com/Yubico/yubico-pam ...
no promises.


>
> > > No https proxy using sslbump.  Though I am configuring lan clients
> > > to use a local dns server which forwards from opendns, this may be
> > > sufficient for filtering purposes.
> OpenDNS is a service that supports answering dns requests based on
> content type and filtering settings.  If a site provides say bad
> content, you get an IP pointing to a server that says bad content is
> denied.
>
>

> > > Wireless not filtered by squid proxy unless clients explicitly go
> > > to the proxy.
> This means clients can defeat having e2guardian filter them.  Why set
> up a content filter if people who are supposed to be going through it
> can get around it?
>
> > > No transparent proxying.  It has been a long time since I last set
> > > this up where I'm concerned that e2guardian will block sites it
> > > shouldn't and that there will be no administrative way around that.
> Too bad I can't set up a web site on the server where an admin can log
> in and type in URLS explicitly that are exceptional or that need to be
> blocked.  Even nicer, allow per user lists of explicitly allowed and
> explicitly denied URLS.
>

I'm philosophically opposed to content filtering, and therefore not
practiced in doing it and of no practical help, but also, if I did, I
wouldn't tell you.


>
> > > Wireless hotspot is too weak and/or dhcp timing out in 2 hours.
> My Linksys wireless N usb card requires third part driver that taints
> the kernel.  I either need a wireless access point that takes a wired
> ethernet connection and another ethernet port on the server...  Or, I
> need a usb wireless card with high gain antenna that Debian Stretch
> Linux supports natively.
>
> I need wifi so Android smartphones and tablets can go online.
>
> An option is to use my Raspberry pi 3 as a wireless hotspot,
> but the wireless built in to the Pi 3 doesn't have a good antenna,
> a major design flaw IMHO.
>
> Concerning the two hour timeout, that is the lease time for dhcp
> leases.  There should be a brief disruption as your lease is renewed
> and your ip address changes, but not a long one.  Should I increase the
> lease time?
>
> michael at filter:~$ lsusb
> Bus 009 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
> Bus 004 Device 003: ID 13b1:003f Linksys WUSB6300 802.11a/b/g/n/ac
> Wireless Adapter [Realtek RTL8812AU]
> Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
> Bus 007 Device 002: ID 1050:0120 Yubico.com Yubikey Touch U2F Security
> Key
> Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
> Bus 002 Device 002: ID 0b95:7720 ASIX Electronics Corp. AX88772
> Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 006 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
> Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
> Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
> Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> michael at filter:~$
>
> The Chinese 7 port USB 2 hub is plugged in, but it isn't showing.
>

Are you trying to use the USB wifi radio as an access point or a station?
USB radios traditionally make lousy access points. I'd recommend finding a
regular wifi router. You can configure them to work as a dumb AP (e.g. by
turning their DHCP server off, setting a compatible static IP on the LAN
network, connecting to them via the LAN port (putting a piece of tape over
the WAN port to reduce confusion sometimes helps).


>
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list