Installing NoCat
Here are the instructions for installing
NoCatAuth on your Linux box:
1.
Make sure you are logged
on as the root user.
2.
Go to the temporary
directory where you downloaded the NoCatAuth software and
decompress it using the File Roller or a similar
utility. All the files for installing the gateway will be
unpacked into a subdirectory named NoCatAuth-nightly.
3.
Go to the NoCatAuth-nightly
subdirectory and type: make
gateway. This
installs the unpacked program files
in their operational folders. Although it’s possible to edit the
Makefile
to specify your own paths
for installing program files, I would recommend
that most people install in the default configuration
first, if possible. Using a custom
configuration creates one more possible source of problems. You
should try to simplify things as
much as possible at this point.
That’s it. NoCatAuth should be installed.
Do a very basic test by typing
/usr/local/nocat/bin/gateway
at the command
prompt to start the gateway. You should see something like this:
[2004-02-12 08:39:23] Resetting firewall.
[2004-02-12 08:39:23] Detected InternalDevice
‘eth0’
[2004-02-12 08:39:23] Detected ExternalDevice
‘eth1’
[2004-02-12 08:39:23] Detected LocalNetwork
‘192.168.2.0/255.255.255.0’
[2004-02-12 08:39:24] Binding listener socket to
0.0.0.0
If you get error messages, read the INSTALL file
for possible fixes. Some problems may also be fixable by
modifying the configuration file as described in the next
section. However, it is common for installation to go smoothly
up to this point. That doesn’t mean that you are out of the
woods. In fact, you just stepped into the woods.
Configuring NoCat
Once NoCat is installed, the next step is to
review and edit the configuration file,
/usr/local/nocat/nocat.conf,
to reflect your network and preferences.Note that most of the
parameters can remain commented out in most cases. Many do not
need to be manually configured. For
instance,NoCat is usually smart enough to figure out which of
your Ethernet cards is connected to
the Internet, and which is connected to the local (“internal”)
wireless network. That is why, at
the end of the previous section, you may have been able to fire
up NoCatAuth, and, without changing
anything in the configuration file, get start-up messages like
Detected
InternalDevice ‘eth0’.NoCat also usually figures
out the IP address of the internal subnet.
That being said, here are some of the more
important parameters that you may need to or want to set:
GatewayName—
The gateway name displayed to users on the locally stored splash
and status pages (/usr/local/nocat/htdocs/splash.html
and/usr/local/nocat/htdocs/status.html).
Note that this does not affect the login and logout screens
displayed by the public NoCat auth server.
GatewayMode—
This parameter configures the gateway to operate in Open,
Passive, or Captive mode. Open mode displays a local splash
screen that you can edit, and does not
support username/password login. The other two display a
login screen served by the auth
server, and do support username/password login. The difference
between Passive
and Captive is that Passive allows the gateway
to operate even if there is a Network Address Translation (NAT)
device between the gateway and the auth server. Captive mode is
present for compatibility with past versions of NoCatAuth; you
won’t use it in this chapter. Use Passive instead of Captive for
new installations.
InternalDevice—Usually
auto-configured. The NIC connected to the AP. In Red
Hat 9, usually eth0.
ExternalDevice—Usually
auto-configured. The NIC connected to the WAN. In
Red Hat 9, usually
eth1.
LocalNetwork—Usually
auto-configured. The subnet address of the
InternalDevice.
Examples: 192.168.2.0/255.255.255.0 or 192.168.2.0/24 (two ways
of expressing the same thing)
DNSAddr—If
you have a local caching DNS server on your Linux box, you
should leave this option commented out. Otherwise, this
parameter should specify the IP address of
the external DNS server.
AuthServiceAddr and
AuthServiceURL—These
specify the authentication server’s IP address and URL. Just
leave the defaults if you want to use the auth server at
nocat.net.
AllowedWebHosts—A
list of allowed domains. All other Web sites are inaccessible.
MembersOnly—Disables
the Public access class of service when set to 1. (But hosts
named in
AllowedWebHosts
remain accessible to everyone.) In Passive mode, users
can prove that they belong to the Owners or Co-op class
by submitting a username and
password to the auth server. In Open mode, since there is no
opportunity to submit a username
and password, all users are treated the same: Uncommenting
MembersOnly disables
Internet access, except to hosts named in
AllowedWebHosts.
MembersOnly is commented
out by default.
IncludePorts and
ExcludePorts—These
allow you to restrict the use of certain ports for Public class
users, either by allowing certain ports and no others
(IncludePorts)
or by disallowing certain ports and permitting all others
(ExcludePorts).
This is where, by default, outgoing mail is blocked by excluding
port 25. If you set up a public
portal, comment out the
Exclude Ports 25
line in
nocat.conf
if you want your users to
be able to send mail using mail clients such as Microsoft
Outlook. The alternative will probably be dealing with lots of
questions and complaints. (It will
not be clear to users why they can’t send mail. It just won’t
work. Of course, you can explain it
on the splash page, which everyone will read with meticulous
attention.) If both these parameters are commented out,
all ports are allowed.