Installing NoCat

Here are the instructions for installing NoCatAuth on your Linux box:

1. Make sure you are logged on as the root user.

2. Go to the temporary directory where you downloaded the NoCatAuth software and

decompress it using the File Roller or a similar utility. All the files for installing the gateway will be unpacked into a subdirectory named NoCatAuth-nightly.

3. Go to the NoCatAuth-nightly subdirectory and type: make gateway. This installs the unpacked program files in their operational folders. Although it’s possible to edit the Makefile to specify your own paths for installing program files, I would recommend that most people install in the default configuration first, if possible. Using a custom configuration creates one more possible source of problems. You should try to simplify things as much as possible at this point.

That’s it. NoCatAuth should be installed.

Do a very basic test by typing /usr/local/nocat/bin/gateway at the command prompt to start the gateway. You should see something like this:

[2004-02-12 08:39:23] Resetting firewall.

[2004-02-12 08:39:23] Detected InternalDevice ‘eth0’

[2004-02-12 08:39:23] Detected ExternalDevice ‘eth1’

[2004-02-12 08:39:23] Detected LocalNetwork ‘192.168.2.0/255.255.255.0’

[2004-02-12 08:39:24] Binding listener socket to 0.0.0.0

If you get error messages, read the INSTALL file for possible fixes. Some problems may also be fixable by modifying the configuration file as described in the next section. However, it is common for installation to go smoothly up to this point. That doesn’t mean that you are out of the woods. In fact, you just stepped into the woods.

Configuring NoCat

Once NoCat is installed, the next step is to review and edit the configuration file, /usr/local/nocat/nocat.conf, to reflect your network and preferences.Note that most of the parameters can remain commented out in most cases. Many do not need to be manually configured. For instance,NoCat is usually smart enough to figure out which of your Ethernet cards is connected to the Internet, and which is connected to the local (“internal”) wireless network. That is why, at the end of the previous section, you may have been able to fire up NoCatAuth, and, without changing anything in the configuration file, get start-up messages like Detected InternalDevice ‘eth0’.NoCat also usually figures out the IP address of the internal subnet.

That being said, here are some of the more important parameters that you may need to or want to set:

GatewayName— The gateway name displayed to users on the locally stored splash and status pages (/usr/local/nocat/htdocs/splash.html and/usr/local/nocat/htdocs/status.html). Note that this does not affect the login and logout screens displayed by the public NoCat auth server.

GatewayMode— This parameter configures the gateway to operate in Open, Passive, or Captive mode. Open mode displays a local splash screen that you can edit, and does not support username/password login. The other two display a login screen served by the auth server, and do support username/password login. The difference between Passive

and Captive is that Passive allows the gateway to operate even if there is a Network Address Translation (NAT) device between the gateway and the auth server. Captive mode is present for compatibility with past versions of NoCatAuth; you won’t use it in this chapter. Use Passive instead of Captive for new installations.

InternalDevice—Usually auto-configured. The NIC connected to the AP. In Red Hat 9, usually eth0.

ExternalDevice—Usually auto-configured. The NIC connected to the WAN. In Red Hat 9, usually eth1.

LocalNetwork—Usually auto-configured. The subnet address of the InternalDevice. Examples: 192.168.2.0/255.255.255.0 or 192.168.2.0/24 (two ways of expressing the same thing)

DNSAddr—If you have a local caching DNS server on your Linux box, you should leave this option commented out. Otherwise, this parameter should specify the IP address of the external DNS server.

AuthServiceAddr and AuthServiceURL—These specify the authentication server’s IP address and URL. Just leave the defaults if you want to use the auth server at nocat.net.

AllowedWebHosts—A list of allowed domains. All other Web sites are inaccessible.

MembersOnly—Disables the Public access class of service when set to 1. (But hosts named in AllowedWebHosts remain accessible to everyone.) In Passive mode, users can prove that they belong to the Owners or Co-op class by submitting a username and password to the auth server. In Open mode, since there is no opportunity to submit a username and password, all users are treated the same: Uncommenting MembersOnly disables Internet access, except to hosts named in AllowedWebHosts. MembersOnly is commented out by default.

IncludePorts and ExcludePorts—These allow you to restrict the use of certain ports for Public class users, either by allowing certain ports and no others (IncludePorts) or by disallowing certain ports and permitting all others (ExcludePorts). This is where, by default, outgoing mail is blocked by excluding port 25. If you set up a public portal, comment out the Exclude Ports 25 line in

 

nocat.conf if you want your users to be able to send mail using mail clients such as Microsoft Outlook. The alternative will probably be dealing with lots of questions and complaints. (It will not be clear to users why they can’t send mail. It just won’t work. Of course, you can explain it on the splash page, which everyone will read with meticulous attention.) If both these parameters are commented out, all ports are allowed.