Content
Introduction
The November 8, 2004 FC3 release contained an early version of NetworkManager. On the NetworkManager homepage
http://www.gnome.org/projects/NetworkManager/
the following statement can be found.
Networking on Linux right now is painful for the mobile desktop user, especially in comparison to other operating systems. A laptop user should never need to use the command line or configuration files to manage their network; it should "Just Work" as automatically as possible and intrude as little as possible into the user's workflow. NetworkManager attempts to make networking invisible. When moving into areas you've been before, NetworkManager automatically connects to the last network the user chose to connect to. Likewise, when back at the desk, NetworkManager will switch to the faster, more reliable wired network connection.
This article concerns the operation of NetworkManager running under Fedora Core 5 on an IBM T42 with a built-in Intel Pro 2200BG wireless adapter. NetworkManager has backends for Debian, Gentoo, Red Hat, Slackware, and SUSE.
Design Goals and Features
According to Dan Williams, the principle developer, NetworkManager was initially designed for the user who:
- uses a laptop as his primary computer,
- moves frequently between access points at work, home, hotels, airports, coffee shops,
- works in an environment where security is given a high priority,
- has a system administrator who can setup up GConf defaults,
- doesn't necessarily know how to configure networking, wants stuff to "Just Work."
NetworkManager's Current List of Features includes the following.
- A wired connection is established if available and the wireless interface is deactivated.
- A wireless connection is establised if no wired connection is available and the wired interface is deactivated.
- Networking can be disabled when no connections are available.
- NetworkManager obtains an IP address from an available DHCP server but honors static IP addresses defined in distribution system network files.
- WPA support.
- Domain name resolution is provided by a local caching nameserver controlled by NetworkManager.
- Support is provided for wireless networks that broadcast their SSIDs and networks that do not.
- VPN is supported by integration with VPNC, OpenVPN, and PPTP.
- Dial-up modems are supported.
- Network parameters are stored in Gnome GConf.
- Passwords are stored in Gnome Keyring.
- NetworkManager is controlled via a Gnome panel applet. A KDE panel applet is under development.
Supported Wireless Drivers
Dan Williams posted the following note on this topic in January 2005.
http://lkml.org/lkml/2005/1/25/296
This list of stuff that should get fixed in Linux wireless grew out of my attempt to put a GUI on top of Linux wireless with NetworkManager. I think the biggest issue here is that the Wireless Extensions API has stagnated a bit, and driver writers have gone off and done their own thing (for example, WPA support) because the WEAPI hasn't shown leadership in this area. That's fixable, and at this point doesn't seem to be a large amount of work . . . .
To work with NetworkManager, a wireless card must support WPA, and the driver must report the correct capability values to NetworkManager. A NetworkManager compatibility guide can be found at
http://live.gnome.org/NetworkManagerHardware
The ipw2200 driver is discussed in a separate article.
Installed Packages
Here is a list of installed packages.
http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/Fedora/RPMS/
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/
kernel
kernel-devel
NetworkManager
NetworkManager-glib
NetworkManager-gnome
Required Packages
chkconfig
dbus
dbus-glib
hal
bind
dhclient
dhcdbd
iproute
openssl
caching-nameserver
glibc
wireless-tools
libnl
wpa_supplicant
http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/
NetworkManager-vpnc
Alternatively, build CVS.
http://www.gnome.org/projects/NetworkManager/developers/ Packages Required to Build CVS dbus-devel hal-devel glib2-devel gtk2-devel libglade2-devel openssl-devel GConf2-devel gnome-panel-devel libgnomeui-devel gnome-keyring-devel gettext-devel pkgconfig libnl-devel
The latest ipw2200 version can be installed from SourceForge. More details can be found in a posted article.
VPNC, Firestarter, PAM_KEYRING
http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/ vpnc firestarter http://www.hekanetworks.com pam_keyring
Fedora Core System Network
If the 'system-config-network' utility was used to setup network interfaces, the system files will look sometime like this.
/etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=no TYPE=Ethernet HWADDR=00:0d:60:b2:19:9d USERCTL=yes PEERDNS=yes IPV6INIT=no /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=dhcp ONBOOT=no TYPE=Wireless HWADDR=00:0e:35:14:60:d0 USERCTL=yes PEERDNS=yes IPV6INIT=no
If a static ip address or other network data is configured in these files, NetworkManager will honor these settings.
A FC5 bug causes eth0 to be randomly assigned rather than following the configuration files. This can play all kinds of havoc. A fix is in updates.
yum --enablerepo=updates install initscripts
NetworkManager Setup
NetworkManager runs as a service owned by the root user. It manages wired and wireless connections and DHCP and VPN transactions. After installation, as root set this service to run in levels 3, 4, 5.
/sbin/chkconfig --level 345 NetworkManager on
NetworkManagerDispatcher runs as a service owned by the root user. It executes scripts owned by root and placed in the directory
/etc/NetworkManager/dispatcher.d
After installation, as root set this service to run in levels 3, 4, 5.
/sbin/chkconfig --level 345 NetworkManagerDispatcher on
The scripts placed in /etc/NetworkManager/dispatcher.d are run when network interfaces are brought up or down. Two arguments are passed to each script by NetworkManagerDispatcher. The first argument is the interface (eth0, eth1, ...) and the second argument is either 'up' or 'down'. I am currently using this feature to control the network dependent services ntpd and firestarter (fedora-extras) using the scripts ntpd-script and firestarter-script, which are owned by root with permissions 700. The first service is the network time protocol daemon and the second service is a user friendly firewall. The configuration of the firewall for use with VPNC will be discussed below. RPM installation sets this service to run in level 3, 4, 5.
The nm-applet is autostarted by Gnome, runs in a user session, and provides a panel icon, a menu, and a context menu.
The dhcdbd service provides a dbus interface for the DHCP client dhclient. As root set the service to run in levels 3, 4, 5.
/sbin/chkconfig --level 345 dhcdbd on
The named service in bind is now D-BUS enabled. As root set the service to run in levels 3, 4, 5 and set the DBUS option.
/sbin/chkconfig --level 345 named on Add to /etc/sysconfig/named OPTIONS="-D"
NetworkManager stores passwords in Gnome keyring. To avoid having to login a second time, the pam_keyring utility can be used. For this to work your default keyring password must match your user password.
Add to /etc/pam.d/gdm auth optional pam_keyring.so try_first_pass session optional pam_keyring.so
After installation by CVS run the following command.
gtk-update-icon-cache -f /usr/share/icons/hicolor
Access Point (AP) Settings
Typically, APs transmit between six and ten beacon packets per second containing their ESSID, maximum transfer rate, and MAC address. If the ESSID is blanked from the beacon packets, the AP is called hidden or cloaked. If the ESSID is included in the beacon packets, the AP is said to broadcast its ESSID. You may encounter hidden APs at universities or businesses that have been using wireless for a long time. If beaconing is completely disabled, the AP is called non-beaconing. In the early days of wireless hidden APs and non-beaconing APs were considered more secure, but this is not longer the case. There is now general agreement among wireless vendors that an AP should be set to broadcast its ESSID and its authentication type should be set to open system. The Cisco whitepaper
http://www.cisco.com/en/US/products/hw/wireless/ps430/
products_white_paper09186a00800b469f.shtml
states that
Some AP vendors, including Cisco, offer the option to disable SSID broadcasts in the beacon messages. The SSID is not designed, nor intended for use, as a security mechanism. In addition, disabling SSID broadcasts might have adverse effects on Wi-Fi interoperability for mixed-client deployments. Therefore, Cisco does not recommend using the SSID as a mode of security.
Use these settings when available.
Broadcast ESSID: yes Authentication Type: Open System
Several authentication types may be available on your AP. The shared key setting (also called restricted or non-beaconing) is not recommended.
Broadcast and Hidden ESSIDs
NetworkManager setup varies slightly depending on whether or not your AP broadcasts its ESSID. My home network does broadcast its ESSID but my work network does not, so I will describe each setup separately below.
To be completely compatible with NetworkManager, the firmware and driver of your wireless adapter must be able to receive and process the beacons from wireless APs. If you wireless driver does not return a list of APs when you issue the command
iwlist iface scanthen it is not completely compatible with Network Manager. The scans produced by the airo and ipw2200 drivers and firmware contain APs which broadcast beacon packets.
Passwords and WEP Keys
NetworkManager is now stores VPNC Passwords and Group Passwords as well as WEP keys using the Gnome Keyring. The first time NetworkManager starts Gnome Keyring, the user will be asked to set a Password for the default keyring as shown in Figure 1.
Figure 1
Thereafter, the default keyring password must be supplied when a Gnome user session starts as shown in Figure 2. Gnome Keyring can be run in a KDE session by using a startup script.
Figure 2
Home Network, Broadcast SSID
After booting, an animated panel icon appeared. I clicked on the icon and the dialog box in Figure 3 poped up.
Figure 3
Next, I clicked on 'mosswap' and the dialog box in Figure 4 poped up.
Figure 4
I input the key type and WEP key, hit the 'Login to Network' button, and had a connection in a few seconds. The appearance of the panel icon changed to the familiar four vertical bar signal strength indicator shown in Figure 5.
Figure 5
Hovering over the panel icon produced the message
Wireless network connection to 'mosswap' (80%)
The nm-applet stores network information in Gnome GConf. I used the gconf-editor to click through the path
/system/networking/wireless/networks/mosswapI found the following keys and values.
bssids [00:01:24:F0:40:5A] essid mosswap timestamp 1103145995 we_cipher 16 wep_auth_algorithm 1
Note that the WEP key is stored in the Gnome default Keyring. Next, I made a wired connection to my router and the appearance of the panel applet immediately switched to a wired connector icon. I tested the wired connection and then pulled the plug. In a few seconds, the wireless connection was re-established.
Campus Network, a Hidden ESSID
After booting, I clicked on the animated panel icon and then on 'Other Wireless Networks.' The dialog box in Figure 6 poped up. I filled in the campus ESSID cuairnet, key type and hex key, and then hit the 'Connect' button.
Figure 6
In a few seconds, the icon appearance changed to the vertical bar signal strength indicator and I had a wireless connection. Using gconf-editor, I clicked through the path
system/networking/wireless/networks/cuairnet
and found
bssids [00:0F:90:7B:32:D0] essid cuairnet timestamp 1102294128 we_cipher 16 wep_auth_algorithm 1
I right clicked on addresses, selected 'Edit Key', and added the MAC addresses of a couple of additional APs that are close to my office. Note that the WEP key is stored in the Gnome default Keyring. I repeated the autoswitching test by plugging in an Ethernet cable and then removing it. The transition between wired and wireless networks progressed smoothly.
Context Menu
The NetworkManager context menu and the Connection Information dialog are shown in Figure 7.
Figure 7
VPN Support
NetworkManager CVS currently supports the VPNC, OPENVPN, and PPTP. The RPM version currently supports VPNC. This section will discuss VPNC. To configure a VPN connection select 'Configure VPN...' from the 'VPN Connections' menu. The dialog box shown in Figure 8 will pop up.
Figure 8
Hitting the Add button will produce the dialog box shown in Figure 9.
Figure 9
Hitting the Forward button produces the dialog box shown in Figure 10.
Figure 10
Hitting the Forward button again produces the dialog box shown in Figure 11. A name for the connection, the gateway and the group name have been filled in.
Figure 11
Hitting the Forward button yet again produces the dialog box shown in Figure 12.
Figure 12
Hitting the Apply button and then the Close button shown in Figure 8 completes the configuration. Using the gconf-editor and clicking through the path
system/networking/wireless/vpn_connections/clemson
reveals the following keys and values.
last_attempt_success check
name clemson
routes []
service_name org.freedesktop.NetworkManager.vpnc
vpn_data [IPSec gateway,130.127.12.21,
IPSec ID,CUVPN]
To make a VPN connection, I selected 'clemson' from the 'VPN Connections' menu. The dialog box shown in Figure 13 appeared. I input my 'Password' and 'Group Password' which are stored in the default Gnome Keyring.
Figure 13
In a few seconds, a VPN connection was established and a small lock icon was superimposed on the panel icon. To disconnect, select 'Disconnect VPN...' from the 'VPN Connections' menu.
If the value of the routes key is an empty string as show above, the default route will be through the VPN tunnel and the local network will be accessible:
Kernel IP routing table Destination Gateway Genmask Iface 130.127.12.21 192.168.2.1 255.255.255.255 eth1 192.168.2.0 * 255.255.255.0 eth1 default * 0.0.0.0 tun0
If instead the value of the routes key is the string 130.127.200.0/24, only this subnet will be accessible through the VPN tunnel and the default route will be local. We have
Kernel IP routing table Destination Gateway Genmask Iface 130.127.12.21 192.168.2.1 255.255.255.255 eth1 130.127.200.0 * 255.255.255.0 tun0 192.168.2.0 * 255.255.255.0 eth1 default 192.168.2.1 0.0.0.0 eth1
To configure the routes key, select 'Configure VPN...' from the 'VPN Connections' menu, select 'clemson', and hit the Edit button. Figure 14 shows how to enter the address 130.127.200.0/24.
Figure 14
Finally, hit the Apply button and then the Close button as shown in Figure 6.
Configuration of the Firestarter Firewall for Use with VPNC
When using firestarter, the iptables service should be turned off. The firestarter inbound policy is to deny all. Users can open ports as need. Users are given a choice of two outbound policies: permissive and restrictive. I am currently using the permissive policy. Users can close ports as desired. The current firestarter version does not support VPN but users can add iptables rules to user-pre and user-post files. I found the following rules work with the Clemson Cisco VPN Concentrator.
/etc/firestarter/user-pre
VPNGATEWAY=130.127.12.21
TUNDEV=tun0
iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p esp
iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p udp
-m multiport --sports isakmp,10000
iptables -A INPUT -j ACCEPT -i $TUNDEV
iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p esp
iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p udp
-m multiport --dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o $TUNDEV
If your VPN Concentrator uses nat-t, change 'isakmp,10000' to 'isakmp,4500,10000.'
Suspend to RAM
NetworkManager support for suspend to ram is provided by the pm-utils package.
NAMED D-BUS Support
If you have the bind-chroot package installed,
Remove ALL RPMs related to
named, caching-nameserver, and NetworkManager
Remove the contents of /var/named
Update to selinux-policy-targeted version 1.27.1-13 or later
Re-install the RPMs listed above but DO NOT re-install the
bind-chroot RPM.
Background: On startup, if 'named -D' detects that it cannot connect to D-BUS because, for example, it is started before the messagebus service, named will emit the syslog message
D-BUS service disabled.
and will initiate a timer that will cause it to periodically retry connecting to D-BUS. After the messagebus service starts, named will emit the syslog message
named[xxxx]: D-BUS service enabled.If dhcdbd is not running when named is able to connect to D-BUS, the syslog message
named[xxxx]: D-BUS dhcdbd subscription disabled.
will appear. Once dhcdbd has started, the syslog message
named[xxxx]: D-BUS dhcdbd subscription enabled.
will appear.
Caveats:
- Named's D-BUS service does not work at all if named is run in a chroot environment, that is, if the bind-chroot package is installed. This is because the '/var/run/dbus/system_bus_socket' does not exist in the chroot. Remove this package if it is installed. Use of bind-chroot is deprecated in favor of SELinux in enforcing mode, so this issue is unlikely to be fixed.
- All selinux-policy-targeted versions prior to 1.27.1-13 disallow named from connecting to D-BUS or dhcdbd. If an SELinux version less than 1.27.1-13 is running in Enforcing mode, 'named -D' cannot be used.
NetworkManager Interactions
As shown in the diagram below, NetworkManager components communicate via D-BUS, a system message bus that allows applications to talk to each other. HAL, or Hardware Abstraction Layer, provides information to applications about existing and new hardware.
D-BUS |__________________________________ |-------- NetworkManager ----------|-- Network Cards |------------ dhcp-manager | |------------ named-manager | |------------ vpn-manager | |---------------- vpn-daemons | |-------------------- vpnc --------|-- VPNC |-------------------- openvpnc ----|-- OPENVPN |-------------------- pptp --------|-- PPTP |__________________________________| | |-------- HAL |-------- dhcdbd --------------------- dhclient |-------- named |-------- NetworkManagerDispatcher --- ntpd, firestarter |-------- nm-applet ------------------ gconfd, gnome-session