Doc / Family / Getting DSL

Getting There is Half the Battle

It sounded like a great deal -- a business DSL connection, high speed (1.2MB/s), four static IP addresses, all at about the same price as the low-speed service from my local phone monopoly, Pacific Bell. One of my employer's business partners had this arrangement for their customers, and were extending it to employees of associated companies. Ah! the wonderful days before the dot-com crash-and-burn. But you just knew there had to be a catch.

So I signed up, and about two months and several missed appointments later the phone tech showed up, brought our lines back to the condition they should have been in in the first place, and gave us a clean bill of electronic health. (Somewhere in the course of the two or three years since I had the second line installed for the computer, our two lines had been combined into one, with a splitter of some sort. But the tech didn't remove the splitter, just left it on one of the lines and put the other back.)

So when the DSL installer showed up the next week (I signed up in October; it is now the first week in January), he discovered that our line had something called a ``pair gain'' on it. No go. I called the company I had signed up with, they directed me to their DSL provider (oh, so they don't do it themselves: it's all smoke and mirrors: the DSL provider is XO, they use Covad, who leases the lines and rack space from Pacific Bell, which is part of SBC...), and they (XO) said that Pacific Bell's charge for removing a pair gain was about $400. ``But if you order DSL directly from Pac Bell they might just do it for free, since it's their line.'' So I did, and they did (at $20 more for a quarter the speed of the original deal), and two weeks later a slightly bemused Pac Bell installer was goggling at our walls full of books and handing me an Alcatel DSL modem and a ``free'' ethernet card.

The actual ``installation'' took about an hour. I already had the computer line going directly to the closet where I keep the servers, so I had the tech install a DSL splitter in the closet (they usually put it on the outside wall), so that I could plug in the DSL and analog modems. I then daisy-chained the modem's "phone" jack into the wiring that had once gone to the computer line, so I now had access to my dialup modem line in a couple of extra places around the house. Someday I have to rationalize the wiring...

So the horror stories you've heard about DSL installation are all true. I had it comparatively easy.

Lowering the Drawbridge

A man's home is his castle...

Naturally, the only OS the installer knew how to support was Windows, so I unplugged the dual-boot machine from the office Ethernet switch and plugged it into the Alcatel, and followed instructions enough to prove that it worked. Then I unplugged it and bade the technician farewell.

You don't connect to the Internet without a firewall. It's a jungle out there, with thousands of crackers and script kiddies scanning for vulnerable machines, and the half-life of an unprotected system is about fifteen minutes. I'd been comparatively lucky with my dialup line, and only been cracked twice before I wised up and hardened it. I had no illusions about the DSL line.

About a half-hour before the tech arrived, I'd discovered that the old Pentium 90 I'd originally set aside to be the a firewall couldn't handle dates after 1999. So I rescheduled an upgrade, moved a bunch of cards around, and installed a minimal copy of RedHat 6.2 on the machine I'd originally planned to use as a web server in the DMZ (the ``De-Millitarized Zone'' between the Internet and the firewall). Easy come, ...

The card shuffling, installing, and setup, counting the firewall setup (more on that below) took about two hours.

Digging the Moat

...and getting a good deal on alligators...

The critical component of a firewall is the file that says which packets to filter out. That's actually a bit inaccurate: you start by blocking everything, and specify which services you allow. The easiest way to get one of these is to browse to Robert L. Ziegler's excellent linux-firewall-tools.com/linux/ website, and fill in an interminable series of web forms. In the end you will be left staring at a shell script which you can ``save as'' /etc/rc.d/rc.firewall and run from rc.local when your system starts up.

A lot of books and articles on firewalls set them up to allow anything that originates in your network to get out to the internet. This is actually a very bad idea -- if somebody does penetrate your network and take over one of your machines, they could do a lot of damage using it as a base of operations. Your ISP would be justifiably annoyed at you. So allow outgoing web, e-mail, DNS, FTP, SSH, news, IRC if you use it, and very little else.

The only services you should be allowing going in to your system are SSH, maybe ICMP (ping, traceroute, etc.), SMTP (e-mail) if you have your own domain, and HTTP (web) -- and that only if you're willing to make sure your web server is set up securely.

SSH is your friend. If you don't have a recent version, go at once to openssh.org and get one; it's free. SSH stands for Secure SHell, and it's a secure replacement for telnet, rsh, rlogin, rcp, and ftp. The main thing it does for you is encrypt all of the traffic between the remote client and the server on your system, including the passwords. Without this encryption, any script kiddie with a packet sniffer can grab the passwords you use for telnet and ftp. Not good.

With SSH on your firewall, you can connect to your home network from any internet-connected machine in the world (as long as it has an ssh client on it). Alternatively you can disable password authentication and limit access to only the few machines that you tell it about, for instance your laptop and your desktop machine at work.

What I did for my web server was set up Apache with a mostly blank and uninformative home page with no links on it. Such tempting goodies as CGI's and user directories are disabled. I then have a small number of top-level pages and directories proxied into the internal network. This means that I can see my network and UPS status pages from outside, and my kid can snag her homework from school. But that's it.

This page, of course, is hosted by my faithful and well-connected ISP. Oh, yes: don't give up your dialup ISP when you go to broadband. DSL providers tend to be pretty worthless when it comes to support, especially for Linux users. Cable providers are even worse. Your dialup connection is good to fall back on when broadband is hosed -- keep it up and running.

In fact, I never switched my mail and news connections over from dialup to DSL: my cron job still dials in every half-hour to exchange the mail and news. If it ain't broke, don't fix it. I also figure that if somebody else on a nearby DSL line starts using it to send spam, the entire block of IP addresses is likely to get on the black-hole list. This way the problem never comes up, though it does mean a half-hour delay receiving e-mail. Big deal.


$Id: dsl.html,v 1.3 2001/12/08 18:15:13 steve Exp $
Stephen R. Savitzky <steve@theStarport.org>