README for the ipip encapsulation daemon as distributed by Bdale Garbee N3EUA. This is a derivation of Mike Westerhof's ipip daemon for Unix machines. Mike provided code that worked for SunOS, I ported the daemon to HP-UX and BSD/OS, and Ron Atkinson N8FOW and John Paul Morrison provided the tweaks for Linux. I am once again actively maintaining the ipip package, and as a Debian GNU/Linux maintainer, that's the platform I'm doing the work on. The BSD support should mostly still work, but is untested by me in recent times. It should be trivial to unpack and build these sources on non-Debian Linux systems, and not hard on any system with BSD-style sockets. To build the daemon: # you've obviously already unpacked the source distribution. On BSD # systems, I like to part it in /usr/src/local/ipip, and augment the # Makefiles so that the daemon becomes part of the normal full build. # make a copy of the correct Makefile, I like to symlink them and use # RCS to manage the changes, but to each his own... ln -s Makefile.BSD Makefile or ln -s Makefile.Linux Makefile # edit Makefile to set desired options, as documented below # if you're on a BSD system, issue the following four make commands... make obj make depend make make install # if you're on a Linux system, just do make all To install the daemon: Look in the 'samples' subdirectory for examples of how to create a config file, which defines interfaces, and a routes file, which sets up the routing table. The 'bdale' subdirectory has a couple of example configs, one very old one from Mike, one that represents almost what Bdale runs today. The 'n8fow' subdirectory has Ron's config files, which are perhaps more appropriate for Linux users. I suggest you troll it all, though, and see what's there. Got questions? Ask. It'll help motivate me/us to improve the docs! To re-build the daemon if you make source changes: # if you're on BSD, just do a make # if you're on Linux, do make clean ; make all Logging output is handled via syslog. We use the LOCAL0 service specifier in syslog's configuration file by default. As a result, make sure to look for errors in the /var/log/local0 (BSD) or /var/adm/local0 (Linux) or /usr/adm/local0 (HP-UX) file, and arrange for appropriate log rotation. You can send a SIGHUP to the daemon after rotating log files and/or loading new routing information to get it to "restart". You probably also need to SIGHUP syslogd to note the log rotation. The following options are available when running the program (yeah, there should be a man page, but "life is short and the ROM is full"): Options are: -help Print this summary of options -v Print just the version number and exit -c file Use the supplied filename as the config file -r file Use the supplied filename as the route file -s n Report statistics every n minutes -np Don't print the ipip[1234]: prefix -nts Don't include a timestamp in the statistics -t Turn on tracing of incoming packets -d Print out some debugging information There is one option in the Makefile. If you include -DAMPRONLY, then any packets which do not have both source and destination addresses in network 44 get dropped on the floor. After we had a non-ham on the Internet attack one of our net-44 subnets, we implemented this firewall, and now use a mixture of MX records pointing via a dual-homed host and socks services to do everything we want from the network 44 side while presenting a blank wall to non-net-44 initiated connections. Ugly, but it works. Someday when I'm resting, I'll put screend up to manage the firewall and return the ipip daemon to being "transparent". But not today... If you have questions about this stuff, I can be reached as bdale@gag.com. If you make changes or improvements, please send them along so I can update the distribution.