Wednesday, January 5, 2005

Debian Way to Patch and Add Modules to the Kernel

There have been articles before about patching the kernel but I am going to merge two articles into one easiest way for me to modify my kernel under Woody. I will be borrowing heavily from http://myrddin.org and http://pptpclient.sourceforge.net. Together these two sites have given me an easy way to patch and install new compiled modules into my kernel.

If I find out that there is an even easier way, I will make changes to this page.

INSTALLING A KERNEL PATCH
First, get the source code (root is necessary for most of these steps, If you are installing something unknown like a non-Debian patch or module, you should copy the source code to a user directory and perform the rest of the steps there as a normal user account.)
# apt-get install kernel-source-2.6.6 #or whatever Debian source you want
# apt-get kernel-package debhelper dpkg-dev
# apt-get install libncurses5-dev #usually unecessary if you use the oldconfig option
# cd /usr/src
# tar -jxvf kernel-source-2.6.6.tar.bz2


Second, copy Debian's stock kernel config file
# cp /boot/config-`uname -r` /usr/src/linux/.config

(If this doesn't work, it just means that you do not have the stock kernel image installed. You can just use the closest kernel config available.)

Third step, here is where I differ from myrddin.org by using pptpclient.sf.net
# cd /usr/src/kernel-source-2.6.8
# export PATCH_THE_KERNEL=YES
# make-kpkg --added-patches mppe --append-to-version -1-686-mppe \ #This follows Debian's naming standard with a description at the end for easy grub identification
--config oldconfig --initrd kernel_image module_image #module_image and kernel_image don't both hav to be there

Now comes the long compile. You will be asked about any questions that the /usr/src/kernel-source-`uname -r`/.config file and the current version of the kernel.

For example,
PPP MPPE compression (encryption) (PPP_MPPE) [N/m/?] (NEW) m


Last step install the kernel and module packages you created
# dpkg -i /usr/src/kernel-image-2.6.6-1-686-mppe_10.00.Custom_i386.deb

IPSEC VPN

I've been given the task of joining two separate companies through the internet over an IPSEC VPN. I have been working with PPTP VPNs and have been very impressed with IPSEC. Luckily, I don't have to work with the Microsoft standard L2TP. IPSEC is difficult and elegant enough without having to see how Microsoft broke with standards.

I've tried working with Debian to get IPSEC. I started working under the testing branch (Sarge) because I knew it was close to release. Unfortunately, the Openswan and Freeswan modules are broken. I then tried the new 2.6 kernel ipsec with racoon and racoon-tools which worked amazingly well. The only problem was that shorewall couldn't deal with the new pseudo interfaces (not ipsec0) in the stable version. In order to work with the beta version (again scheduled for release soon), I would need to start installing more beta software into the kernel which I wasn't comfortable doing.

My next step was to try a new distribution for me called IPCOP. The newest stable version installed like a champ and it seems to have regular updates. I also liked the idea that the minimum would be installed for a firewall system. Under Debian, there is always a chance I will install something unnecessary and decrease the security by human error. Setting up the VPN tunnel was even easier under this distribution. (Not as easy as other systems, IPSEC really takes some new knowledge and thinking)

Unfortunately, I quickly ran into the limitations in IPCOP. I wanted to set up a pretty complex network-to-network connection that only allowed for specific traffic between a semi-secure network and the private network. I also wanted to include some static NAT solutions that would allow for our other multiple networks access to the new machines. This was able to be done under Shorewall but IPCOP has a certain design under it's Green (private network), Blue(wireless network), Orange(DMZ network), and Red (public internet). I could insert the VPN into the BLUE network but I couldn't communicate from Blue to Green which is by design. But the design does allow for Green to normally communicate with Blue except for VPN connections.

Now I am going to save the IPCOP settings to floppy and install Debian Woody. Since I can trust that if Openswan and Freeswan are in stable, then Debian Developers have made sure that all the pieces work together. I will miss using Webmin to set up Shorewall but I think this is the best solution.

Promotion

Well, I haven't posted in a while because I was promoted a month ago. The new job should have a lot of new exciting challenges that will test me to my current limits. I'm now going to work for the Radiology Department at the hospital. We are constantly using a lot of bandwidth over our WAN and we need to be able to allow specific access to business associates. Radiology seems like a very competitive industry with a lot of money flowing.

I have seen my first super-conductor and was not impressed. They encase the MRI scanner in plastic to hide the super-coolants that keep the magnet charged. Apparently, because of super-conductor properties, they only need to charge the electronic magnet once because the electrons don't dissipate like a regular appliance. There is a cost to maintaining the super-cooled magnet but as technology gets better, I would estimate those costs decreasing.

I would guess that a computer could be energized in much the same way if it was made out of super-conductors. That would decrease our costs for batteries and power.