The officially official Devuan Forum!

You are not logged in.

#1 2019-01-31 05:06:46

nogeek
Member
Registered: 2018-07-15
Posts: 24  

safe networking with only one tool

Hello everybody.
=->

I am at the beginning of learning how networking works.
Long time ago I have removed wicd-gtk and from there on I used only the dhclient command.

I have read some explanations and manual entries about networking with GNU / Linux and there are still many things I do not understand (seems like an own world to me ^o^), but I figured out, that dhcp has some heavy security issues:
https://en.wikipedia.org/wiki/Dynamic_H … l#Security
https://en.wikipedia.org/wiki/Rogue_DHCP
https://en.wikipedia.org/wiki/DHCP_snooping
https://en.wikipedia.org/wiki/Network_i … starvation
, so I decided not to use it anymore, removed the dhcp packages and disabled it in my router.

Further I understand that the net-tools seems to be obsolet and that it will be totally replaced by iproute2 in the future (correct me if I am wrong), and that they are only in the repos (and the basic install) because some scripts or programs are still use them.
I have removed net-tools from my system, cause I do not have any packages installed wich depend on it:

apt-cache rdepends net-tools

At the moment I am using ifupdown to get my network working after I logged in.

But I think I have understand that ifupdown is only a tool to using iproute2 with, so I wanted to know if it is possible to use only iproute2 to get my network working.
I have removed ifupdown, /etc/network (it was created by iproute2 but contains only ifupdown stuff), reboot the system and runned

ip addr add 192.168.0.254/27 brd + dev eth0

followed by

ip link set eth0 up

and dmesg said that the link becomes ready but I can not get a connection...
What is missing?

Also after a few playing with ifupdown (after installed it again from a local repo) I have figured out that the files /etc/networks and /etc/resolv.conf seems to be necessary to get a connection...
(resolv.conf was configured by the dhclient comand I used in the past I think...)

At least: is netbase a necessary package for networking?

apt show -a netbase | tail -n 2
Description: Basic TCP/IP networking system

ifconfig has it as a depedencie but iproute2 not, also not its dependencies or sub dependencies...

Offline

#2 2019-01-31 07:45:47

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: safe networking with only one tool

/etc/resolv.conf is needed for DNS to work, but before that you need to declare the routing paths.

How about adding a default route?

# ip route add default via 192.168.0.1 dev eth0

That's assuming your router having IP 192.168.0.1. Use

$ ip route show

to inspect the routing table. There's plenty more to read about routing, which is what provides networking above the link level packet exchange.

You don't need /etc/networks or the /etc/network tree; these are used by the ifupdown networking support, but they are not necessary for networking to work.

Offline

#3 2019-06-20 22:33:50

nogeek
Member
Registered: 2018-07-15
Posts: 24  

Re: safe networking with only one tool

I forgot to post here in the past:
It do not work for me.

Offline

#4 2019-06-21 04:18:16

Dutch_Master
Member
Registered: 2018-05-31
Posts: 285  

Re: safe networking with only one tool

IMO you're too paranoid about DHCP. I've noticed you mentioned your setup uses a router, so I assume that's also your gateway to the web via your ISP. That router has a firewall to prevent access from outside to your network. Therefor, your DHCP stack is protected from attacks. Re-install DHCP, re-enable it on your router so you can spend your time on other things. smile

Online

#5 2019-06-21 17:35:49

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: safe networking with only one tool

nogeek wrote:
ip addr add 192.168.0.254/27 brd + dev eth0

followed by

ip link set eth0 up

That address looks wrong — are you sure you need a /27 subnet mask? Most networks will use /24 instead.

And you don't need the brd + bit at all.

To determine the correct address range enable DHCP, use that to connect and then run

ip a
ip r

The addresses can then be copied for your custom commands.

nogeek wrote:

It do not work for me.

You need to post exactly what you tried so that we can see where you went wrong.

Have you populated /etc/resolv.conf with valid nameservers?

I use the plain ip command & wpa_supplicant to connect via wireless on my laptop, it works well.


Brianna Ghey — Rest In Power

Offline

#6 2019-06-23 03:28:12

nogeek
Member
Registered: 2018-07-15
Posts: 24  

Re: safe networking with only one tool

Dutch_Master wrote:

IMO you're too paranoid about DHCP.

Maybe you should read my first post again... and the wikipedia entries too.
I figured out that in "Computer-Stuff" forums some people call you paranoid when you just a careful person...
I do not understand this and to me it sounds like a slander...
But maybe this people just do not known what being paranoid is like?
Paranoid means the fear of something that do not exist, that's all!
But the security issues about dhcp do exist.

Dutch_Master wrote:

I've noticed you mentioned your setup uses a router, so I assume that's also your gateway to the web via your ISP.

Is it possible to setup a network without using a router (and ISP) (maybe that is a hint for mesh networking? yeah... I am a noob in the most things...).

Dutch_Master wrote:

That router has a firewall to prevent access from outside to your network.

I am not sure about that firewall in the router you have talked about, I can not find anything like that in the router preferences.
Btw: Soon I will buy a Free-Open-Hardware LAN-Router from ThinkPenguin with LibreCMC pre-installed. ;-)

Dutch_Master wrote:

Re-install DHCP, re-enable it on your router so you can spend your time on other things. smile

At the moment I am using ifup and ifdown and I will never need or want dhcp again.

Last edited by nogeek (2019-06-23 03:42:49)

Offline

#7 2019-06-23 03:37:58

nogeek
Member
Registered: 2018-07-15
Posts: 24  

Re: safe networking with only one tool

Head_on_a_Stick wrote:
nogeek wrote:

It do not work for me.

You need to post exactly what you tried so that we can see where you went wrong.

Have you populated /etc/resolv.conf with valid nameservers?

Hey Head_on_a_Stick.
It is some time ago I have done this, so I mostly forgot what I have done...
But yes I have had populated /etc/resolv.conf with valid nameservers.

Head_on_a_Stick wrote:
nogeek wrote:
ip addr add 192.168.0.254/27 brd + dev eth0

followed by

ip link set eth0 up

That address looks wrong — are you sure you need a /27 subnet mask? Most networks will use /24 instead.

And you don't need the brd + bit at all.

To determine the correct address range enable DHCP, use that to connect and then run

ip a
ip r

The addresses can then be copied for your custom commands.

I use the plain ip command & wpa_supplicant to connect via wireless on my laptop, it works well.

Thank you for the advice of a professional! ;-)
I hope I will soon find some time to try this out, and I will reporting it here if it works for me or not with a precise description what I have done (like in my first post).

Offline

#8 2019-06-23 09:35:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: safe networking with only one tool

nogeek wrote:

I am not sure about that firewall in the router you have talked about, I can not find anything like that in the router preferences.

I think Dutch_Master is referring to the NAT provided by your router, this is known as a hardware firewall and prevents your local IP addresses from being accessed from the interweb.

If you plug your ethernet connection in directly without using a router then you will lose the protections afforded by NAT, this is not advisable.

nogeek wrote:

Thank you for the advice of a professional!

I don't have any formal training in IT and I work as a professional motorcyclist smile


Brianna Ghey — Rest In Power

Offline

Board footer