November 2007
Beginner
642 pages
15h 43m
English
Content preview from Linux Networking CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
6.10. Logging In to Quagga Daemons Remotely
Problem
You understand that Quagga allows telnet logins, and that telnet is completely insecure because it sends all traffic in cleartext. But you feel pretty safe on your own network, so you want to be able to log in and run your routers remotely. Not over the Internet, which would be suicidal, but just on your own LAN.
Solution
You'll need to configure your daemons to listen on all interfaces, and then configure access controls in each daemon's configuration file.
On Debian, edit /etc/quagga/debian.conf to allow your daemons to listen to all interfaces:
vtysh_enable=yes zebra_options=" --daemon" ripd_options=" --daemon"
Do the same thing in Fedora, in /etc/sysconfig/quagga.
Then, add these lines to the daemon's configuration files, like this example for zebra. conf:
access-list localhost permit 127.0.0.1/32 access-list localhost deny any access-list lan1 permit 192.168.1.0/24 access-list lan1 deny any access-list lan2 permit 192.168.2.0/24 access-list lan2 deny any ! line vty access-class localhost access-class lan1 access-class lan2
That allows logins from localhost and two local subnets, and no
one else. Each one is given a separate class; this lets you disable
access by commenting out an access-class line.
Then, on Debian, restart Quagga:
# /etc/init.d/quagga restartOn Fedora, restart each daemon individually:
# /etc/init.d/zebra restart
# /etc/init.d/ripd restartNow, you should be able to telnet in from your LAN neighbors by specifying the ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.