Friday, June 12, 2020

VIM Cheat Sheet


Global
:help keyword – open help for keyword
:o file – open file
:saveas file – save file as
:close – close current window

Cursor Movements
h – move cursor left
j – move cursor down
k – move cursor up
l – move cursor right
H – move to top of screen
M – move to middle of screen
L – move to bottom of screen
w – jump forwards to the start of a word
W – jump forwards to the start of a word (words can contain punctuation)
e – jump forwards to the end of a word
E – jump forwards to the end of a word (words can contain punctuation)
b – jump backwards to the start of a word
B – jump backwards to the start of a word (words can contain punctuation)
0 – jump to the start of the line
^ – jump to the first non-blank character of the line
$ – jump to the end of the line
g_ – jump to the last non-blank character of the line
gg – go to the first line of the document
G – go to the last line of the document
5G – go to line 5
fx – jump to next occurrence of character x
tx – jump to before next occurrence of character x
} – jump to next paragraph (or function/block, when editing code)
{ – jump to previous paragraph (or function/block, when editing code)
zz – center cursor on screen
Ctrl + b – move back one full screen
Ctrl + f – move forward one full screen
Ctrl + d – move forward 1/2 a screen
Ctrl + u – move back 1/2 a screen

Tip: Prefix a cursor movement command with a number to repeat it. For example, 4j moves down 4 lines.

Insert Mode
i – insert before the cursor
I – insert at the beginning of the line
a – insert (append) after the cursor
A – insert (append) at the end of the line
o – append (open) a new line below the current line
O – append (open) a new line above the current line
ea – insert (append) at the end of the word
Esc – exit insert mode

Editing
r – replace a single character
J – join line below to the current line
cc – change (replace) entire line
cw – change (replace) to the end of the word
c$ – change (replace) to the end of the line
s – delete character and substitute text
S – delete line and substitute text (same as cc)
xp – transpose two letters (delete and paste)
u – undo
Ctrl + r – redo
. – repeat last command

Marking Text (Visual Mode)
v – start visual mode, mark lines, then perform an operation (such as d-delete)
V – start linewise visual mode
Ctrl + v – start blockwise visual mode
o – move to the other end of marked area
O – move to other corner of block
aw – mark a word
ab – a block with ()
aB – a block with {}
ib – inner block with ()
iB – inner block with {}
Esc – exit visual mode

Visual Commands
> – shift text right
< – shift text left
y – yank (copy) marked text
d – delete marked text
~ – switch case

Registers
:reg – show registers content
"xy – yank into register x
"xp – paste contents of register x

Tip: Registers are being stored in ~/.viminfo, and will be loaded again on next restart of vim.

Tip: Register 0 contains always the value of the last yank command.

Marks
:marks – list of marks
ma – set current position for mark A
`a – jump to position of mark A
y`a – yank text to position of mark A

Macros
qa – record macro a
q – stop recording macro
@a – run macro a
@@ – rerun last run macro
Cut and Paste
yy – yank (copy) a line
2yy – yank (copy) 2 lines
yw – yank (copy) the characters of the word from the cursor position to the start of the next word
y$ – yank (copy) to end of line
p – put (paste) the clipboard after cursor
P – put (paste) before cursor
dd – delete (cut) a line
2dd – delete (cut) 2 lines
dw – delete (cut) the characters of the word from the cursor position to the start of the next word
D – delete (cut) to the end of the line
d$ – delete (cut) to the end of the line
x – delete (cut) character

Exiting
:w – write (save) the file, but don’t exit
:w !sudo tee % – write out the current file using sudo
:wq or :x or ZZ – write (save) and quit
:q – quit (fails if there are unsaved changes)
:q! or ZQ – quit and throw away unsaved changes

Search and Replace
/pattern – search for pattern
?pattern – search backward for pattern
\vpattern – ‘very magic’ pattern: non-alphanumeric characters are interpreted as special regex symbols (no escaping needed)
n – repeat search in same direction
N – repeat search in opposite direction
:%s/old/new/g – replace all old with new throughout file
:%s/old/new/gc – replace all old with new throughout file with confirmations
:noh – remove highlighting of search matches

Search in Multiple Files
:vimgrep /pattern/ {file} – search for pattern in multiple files
e.g.
:vimgrep /foo/ **/*
:cn – jump to the next match
:cp – jump to the previous match
:copen – open a window containing the list of matches

Working With Multiple Files
:e file – edit a file in a new buffer
:bnext or :bn – go to the next buffer
:bprev or :bp – go to the previous buffer
:bd – delete a buffer (close a file)
:ls – list all open buffers
:sp file – open a file in a new buffer and split window
:vsp file – open a file in a new buffer and vertically split window
Ctrl + ws – split window
Ctrl + ww – switch windows
Ctrl + wq – quit a window
Ctrl + wv – split window vertically
Ctrl + wh – move cursor to the left window (vertical split)
Ctrl + wl – move cursor to the right window (vertical split)
Ctrl + wj – move cursor to the window below (horizontal split)
Ctrl + wk – move cursor to the window above (horizontal split)

Tabs
:tabnew or :tabnew file – open a file in a new tab
Ctrl + wT – move the current split window into its own tab
gt or :tabnext or :tabn – move to the next tab
gT or :tabprev or :tabp – move to the previous tab
#gt – move to tab number #
:tabmove # – move current tab to the #th position (indexed from 0)
:tabclose or :tabc – close the current tab and all its windows
:tabonly or :tabo – close all tabs except for the current one
:tabdo command – run the command on all tabs (e.g. :tabdo q – closes all opened tabs)

More About VIM
If you're looking for even more help with vim, then check out the Vim Masterclass course.

Linux Command Cheat Sheet

1 – SYSTEM INFORMATION

# Display Linux system information
uname -a

# Display kernel release information
uname -r

# Show which version of redhat installed
cat /etc/redhat-release

# Show how long the system has been running + load
uptime

# Show system host name
hostname

# Display the IP addresses of the host
hostname -I

# Show system reboot history
last reboot

# Show the current date and time
date

# Show this month's calendar
cal

# Display who is online
w

# Who you are logged in as
whoami


2 – HARDWARE INFORMATION

# Display messages in kernel ring buffer
dmesg

# Display CPU information
cat /proc/cpuinfo

# Display memory information
cat /proc/meminfo

# Display free and used memory ( -h for human readable, -m for MB, -g for GB.)
free -h

# Display PCI devices
lspci -tv

# Display USB devices
lsusb -tv

# Display DMI/SMBIOS (hardware info) from the BIOS
dmidecode

# Show info about disk sda
hdparm -i /dev/sda

# Perform a read speed test on disk sda
hdparm -tT /dev/sda

# Test for unreadable blocks on disk sda
badblocks -s /dev/sda


3 – PERFORMANCE MONITORING AND STATISTICS

# Display and manage the top processes
top

# Interactive process viewer (top alternative)
htop

# Display processor related statistics
mpstat 1

# Display virtual memory statistics
vmstat 1

# Display I/O statistics
iostat 1

# Display the last 100 syslog messages  (Use /var/log/syslog for Debian based systems.)
tail 100 /var/log/messages

# Capture and display all packets on interface eth0
tcpdump -i eth0

# Monitor all traffic on port 80 ( HTTP )
tcpdump -i eth0 'port 80'

# List all open files on the system
lsof

# List files opened by user
lsof -u user

# Display free and used memory ( -h for human readable, -m for MB, -g for GB.)
free -h

# Execute "df -h", showing periodic updates
watch df -h


4 – USER INFORMATION AND MANAGEMENT

# Display the user and group ids of your current user.
id

# Display the last users who have logged onto the system.
last

# Show who is logged into the system.
who

# Show who is logged in and what they are doing.
w

# Create a group named "test".
groupadd test

# Create an account named john, with a comment of "John Smith" and create the user's home directory.
useradd -c "John Smith" -m john

# Delete the john account.
userdel john

# Add the john account to the sales group
usermod -aG sales john


5 – FILE AND DIRECTORY COMMANDS

# List all files in a long listing (detailed) format
ls -al

# Display the present working directory
pwd

# Create a directory
mkdir directory

# Remove (delete) file
rm file

# Remove the directory and its contents recursively
rm -r directory

# Force removal of file without prompting for confirmation
rm -f file

# Forcefully remove directory recursively
rm -rf directory

# Copy file1 to file2
cp file1 file2

# Copy source_directory recursively to destination. If destination exists, copy source_directory into destination, otherwise create destination with the contents of source_directory.
cp -r source_directory destination

# Rename or move file1 to file2. If file2 is an existing directory, move file1 into directory file2
mv file1 file2

# Create symbolic link to linkname
ln -s /path/to/file linkname

# Create an empty file or update the access and modification times of file.
touch file

# View the contents of file
cat file

# Browse through a text file
less file

# Display the first 10 lines of file
head file

# Display the last 10 lines of file
tail file

# Display the last 10 lines of file and "follow" the file as it grows.
tail -f file


6 – PROCESS MANAGEMENT

# Display your currently running processes
ps

# Display all the currently running processes on the system.
ps -ef

# Display process information for processname
ps -ef | grep processname

# Display and manage the top processes
top

# Interactive process viewer (top alternative)
htop

# Kill process with process ID of pid
kill pid

# Kill all processes named processname
killall processname

# Start program in the background
program &

# Display stopped or background jobs
bg

# Brings the most recent background job to foreground
fg

# Brings job n to the foreground
fg n


7 – FILE PERMISSIONS

Linux chmod example

        PERMISSION      EXAMPLE

         U   G   W
        rwx rwx rwx     chmod 777 filename
        rwx rwx r-x     chmod 775 filename
        rwx r-x r-x     chmod 755 filename
        rw- rw- r--     chmod 664 filename
        rw- r-- r--     chmod 644 filename

# NOTE: Use 777 sparingly!

        LEGEND
        U = User
        G = Group
        W = World

        r = Read
        w = write
        x = execute
        - = no access


8 – NETWORKING

# Display all network interfaces and ip address
ifconfig -a

# Display eth0 address and details
ifconfig eth0

# Query or control network driver and hardware settings
ethtool eth0

# Send ICMP echo request to host
ping host

# Display whois information for domain
whois domain

# Display DNS information for domain
dig domain

# Reverse lookup of IP_ADDRESS
dig -x IP_ADDRESS

# Display DNS ip address for domain
host domain

# Display the network address of the host name.
hostname -i

# Display all local ip addresses
hostname -I

# Download http://domain.com/file
wget http://domain.com/file

# Display listening tcp and udp ports and corresponding programs
netstat -nutlp

9 – ARCHIVES (TAR FILES)

# Create tar named archive.tar containing directory.
tar cf archive.tar directory

# Extract the contents from archive.tar.
tar xf archive.tar

# Create a gzip compressed tar file name archive.tar.gz.
tar czf archive.tar.gz directory

# Extract a gzip compressed tar file.
tar xzf archive.tar.gz

# Create a tar file with bzip2 compression
tar cjf archive.tar.bz2 directory

# Extract a bzip2 compressed tar file.
tar xjf archive.tar.bz2

10 – INSTALLING PACKAGES

# Search for a package by keyword.
yum search keyword

# Install package.
yum install package

# Display description and summary information about package.
yum info package

# Install package from local file named package.rpm
rpm -i package.rpm

# Remove/uninstall package.
yum remove package

# Install software from source code.
tar zxvf sourcecode.tar.gz
cd sourcecode
./configure
make
make install

11 – SEARCH

# Search for pattern in file
grep pattern file

# Search recursively for pattern in directory
grep -r pattern directory

# Find files and directories by name
locate name

# Find files in /home/john that start with "prefix".
find /home/john -name 'prefix*'

# Find files larger than 100MB in /home
find /home -size +100M

12 – SSH LOGINS

# Connect to host as your local username.
ssh host

# Connect to host as user
ssh user@host

# Connect to host using port
ssh -p port user@host

13 – FILE TRANSFERS

# Secure copy file.txt to the /tmp folder on server
scp file.txt server:/tmp

# Copy *.html files from server to the local /tmp folder.
scp server:/var/www/*.html /tmp

# Copy all files and directories recursively from server to the current system's /tmp folder.
scp -r server:/var/www /tmp

# Synchronize /home to /backups/home
rsync -a /home /backups/

# Synchronize files/directories between the local and remote system with compression enabled
rsync -avz /home server:/backups/

14 – DISK USAGE

# Show free and used space on mounted filesystems
df -h

# Show free and used inodes on mounted filesystems
df -i

# Display disks partitions sizes and types
fdisk -l

# Display disk usage for all files and directories in human readable format
du -ah

# Display total disk usage off the current directory
du -sh

15 – DIRECTORY NAVIGATION

# To go up one level of the directory tree.  (Change into the parent directory.)
cd ..

# Go to the $HOME directory
cd

# Change to the /etc directory
cd /etc

Thursday, September 9, 2010

Multiple NIC In Same Subnet IP Address - ARP Problem

/proc/sys/net/ipv4/conf/(eth0 || eth1)/arp_filter change the value to a 1 instead of 0.

ip route del default

route add default gw 192.168.1.1 dev eth1
route add default gw 192.168.1.1 dev eth0

ip route add 192.168.1.0/24 dev eth0 table 2
ip route add 0/0 via 192.168.1.1 dev eth0 table 2
ip rule add from 192.168.1.123 table 2
ip rule add to 192.168.1.123 table 2

ip route add 192.168.1.0/24 dev eth1 table 3
ip route add 0/0 via 192.168.1.1 dev eth1 table 3
ip rule add from 192.168.1.121 table 3
ip rule add to 192.168.1.121 table 3

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/arp_filter

Labels:

Security Parameter for sysctl.conf - Example

sysctl -p
sysctl -w net.ipv4.route.flush=1

Example:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Modify system limits for Ensim WEBppliance
fs.file-max = 65000

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456

# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2

# Improve virtual memory performance
vm.buffermem = 90 10 60

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 57344 57344 65536

# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 32768 65536 524288

# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864

# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 524280
net.core.rmem_default = 524280

# Increase the maximum and default send socket buffer size
net.core.wmem_max = 524280
net.core.wmem_default = 524280

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344

# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 1024

## DO NOT REMOVE THE FOLLOWING LINE!
## nsobuild:20051206

Labels:

Thursday, April 23, 2009

Solaris Command

System Information


Print system information

# prtconf

Check the memory

# prtconf | grep Memory

Swap administration, check swap size

# man swap
# swap -s


Describe instruction set architectures

# isainfo -kv

To find if the system is 32 bit or 64 bit

# isainfo -v


Packages


Extract from URL http://www.softpanorama.org/Solaris/Packages/index.shtml

All the software distributed as part of Solaris by Sun is released in package format. This includes all the standard shells and command sets. Packages clearly emerge as the preferred way of distributing software on Solaris specifically due to the following features:

Uniform package installation and removal interfaces (pkgadd and pkgrm) Ability to see exactly which (versions of) packages are installed on the system (pkgchk -l) Ability to verify the integrity of the contents of the package (pkgchk -p -l) Ability to specify package dependencies and/or incompatibilities (depend, compver) Ability to specify additional space requirements for the package (space) Ability to create custom, dynamic package installation and removal scripts (request, checkinstall, preinstall, postinstall; preremove, postremove, and Class Action scripts) It is possible to convert RPM to Solaris packages.

The most commonly used package management commands are:

pkgadd Adds a package to the target system. Only root can run "pkgadd" pkgrm Removes an installed package from a target system pkgchk Checks a file to determine from which package it was installed. In case you suspect unauthorized modification of the file you can check which package an installed file was extracted from by using the pkgchk command. pkginfo -- list of installed packages pkgadm Here is a list of typical commands used :

To add a package
# pkgadd -d
# pkgadd -d . , for example pkgadd -d . SFWsnort

To remove a package
# pkgrm

To get short description (info) on a package
# pkginfo -x
# pkginfo -l

To list all installed packages
# pkginfo

To list the files that constitute the package
# pkgchk -l
# pkgchk -l | grep Pathname # lists files only.
# pkgchk -d -l

To what package the file /usr/bin/ls belongs:
# pkgchk -lp /usr/bin/ls
or
# grep /var/sadm/install/contents

To find out what files are in a package
# grep /var/sadm/install/contents

To find out what runlevel you're in
# who -r

Services

Observing services, lets say sendmail service

#svcs -d network/smtp:sendmail
#svcs -p network/smtp:sendmail




X Applications


Clock

#/usr/openwin/bin/xclock

Move File System from ZFS to UFS

# zpool create rootpool c0t1d0s1
# zfs create rootpool/rootfs
# zfs set mountpoint=legacy rootpool/rootfs
# mkdir /zfsroot
# mount -F zfs rootpool/rootfs /zfsroot

add this entry in /etc/vfstab:

rootpool/rootfs   -                       /backup zfs     1  yes     -


Moving back from ZFS to UFS:

Identify which disk was used from zfs, in our case it was "c0t1d0s1"

#zpool destroy -R rootpool
#newfs /dev/dsk/c0t0d0s1

Check the file system

# fstyp /dev/dsk/c0t0d0s1
ufs

and mount it to use

#mount /dev/dsk/c0t0d0s1 /dirname

plz note that above mount is temporary, to make it permanent make entry in /etc/vfstab.

Comment the /etc/vfstab entry from zfs and uncomment the entry for the above partition and give

#mount -a



Some additional command for adding/deleting & setting mount point for ZFS filesystem.

# zfs list
NAME                       USED  AVAIL  REFER  MOUNTPOINT
newpool 11.0G 123G 94K /newpool
newpool/ROOT 4.43G 123G 18K legacy
newpool/ROOT/solaris10_8 4.43G 123G 4.43G /
newpool/dump 1.50G 123G 1.50G -
newpool/export 142K 123G 20K /export
newpool/export/home 122K 123G 122K /export/home
newpool/opt 18K 123G 18K /opt
newpool/swap 1G 124G 16K -
newpool/u01 4.08G 123G 4.08G /u01
#zfs destroy -rf newpool/export
#zfs create newpool/export_home
#zfs set mountpoint=/export/home newpool/export_home
# zfs list
NAME                       USED  AVAIL  REFER  MOUNTPOINT
newpool 14.8G 119G 94K /newpool
newpool/ROOT 3.99G 119G 18K legacy
newpool/ROOT/solaris10_8 3.99G 119G 3.99G /
newpool/dump 1.50G 119G 1.50G -
newpool/export_home 158M 119G 158M /export/home
newpool/opt 4.08G 119G 4.08G /opt
newpool/swap 1G 120G 16K -
newpool/u01 4.08G 119G 4.08G /u01



Reference

http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide

How to create SWAP in Live Linux Server

How to create SWAP in Live Linux Server

[root@manage squid]# free -m

             total       used       free     shared    buffers     cached
Mem: 1005 712 292 0 23 231
-/+ buffers/cache: 457 547
Swap: 250 21 229

[root@manage squid]# df -h

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5 695M 373M 287M 57% /
/dev/sda1 23M 9.0M 13M 42% /boot
/dev/sda9 197M 928k 186M 0% /home
/dev/sda6 486M 156M 305M 34% /usr/local
/dev/sda7 32G 14G 16G 48% /var

[root@manage /]# dd if=/dev/zero of=/var/swapfile count=1024 bs=1024000

1024+0 records in
1024+0 records out

[root@manage /]# mkswap /var/swapfile

Setting up swapspace version 1, size = 1048571904 bytes

[root@manage /]# swapon /var/swapfile

[root@manage /]# free -m

             total       used       free     shared    buffers     cached
Mem: 1005 992 12 0 26 750
-/+ buffers/cache: 215 789
Swap: 1250 24 1226

[root@manage /]# vi /etc/fstab

/dev/sda5               /                       newfs   defaults        1 1
/dev/sda1 /boot newfs defaults 1 2
/dev/sda9 /home newfs defaults 1 2
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
/dev/sda6 /usr/local newfs defaults 1 2
/dev/sda7 /var newfs defaults 1 2
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/sda8 swap swap defaults 0 0
/var/swapfile swap swap defaults 0 0

Labels:

Saturday, August 30, 2008

User Authentication HOWTO

Peter Hernberg
Floris Lambrechts − Language changes, various small fixes (v0.8).
2000−05−02
Revision History
Revision 0.8 2003−02−20 Revised by: fl
language changes, various small fixes
Revision 0.5 2000−05−15 Revised by: ph
added section on securing pam, added resources section
Revision 0.1 2000−05−02 Revised by: ph
initial version
Explains how user and group information is stored and how users are authenticated on a Linux system (PAM),
and how to secure you system's user authentication.
Table of Contents
1. Introduction....................................................................................................................................................1
1.1. How this document came to be.........................................................................................................1
1.2. New versions....................................................................................................................................1
1.3. Feedback..........................................................................................................................................1
1.4. Copyrights and Trademarks..............................................................................................................1
1.5. Acknowledgements and Thanks.......................................................................................................1
1.6. Assumptions about the reader...........................................................................................................2
2. How User Information is Stored on Your System.......................................................................................3
2.1. /etc/passwd.......................................................................................................................................3
2.2. Shadow passwords...........................................................................................................................3
2.3. /etc/group and /etc/gshadow.............................................................................................................3
2.4. MD5 encrypted passwords................................................................................................................4
2.5. Sifting through the mess...................................................................................................................4
3. PAM (Pluggable Authentication Modules)...................................................................................................5
3.1. Why..................................................................................................................................................5
3.2. What.................................................................................................................................................5
3.2.1. Distributions that support pam................................................................................................5
3.2.2. Installing PAM........................................................................................................................6
3.3. How..................................................................................................................................................6
3.3.1. PAM configuration files..........................................................................................................6
3.3.2. A little something....................................................................................................................6
3.3.3. Configuration syntax...............................................................................................................7
3.3.4. pam.conf configuration...........................................................................................................8
3.4. Getting more information.................................................................................................................8
4. Securing User Authentication.......................................................................................................................9
4.1. A strong /etc/pam.d/other..................................................................................................................9
4.1.1. A paranoid configuration.........................................................................................................9
4.1.2. A kinder configuration............................................................................................................9
4.1.3. Choosing a /etc/pam.d/other..................................................................................................10
4.2. Disabling logins for user with null passwords................................................................................10
4.3. Disable unused services..................................................................................................................10
4.4. Password−cracking tools................................................................................................................10
4.5. Shadow and MD5 passwords..........................................................................................................11
5. Tying it all together......................................................................................................................................12
5.1. Apache + mod_auth_pam...............................................................................................................12
5.2. Our example...................................................................................................................................12
5.3. Installing mod_auth_pam...............................................................................................................12
5.4. Configuring PAM...........................................................................................................................12
5.4.1. Deciding how to configure PAM..........................................................................................12
5.5. Configuring Apache........................................................................................................................13
5.6. Testing our setup............................................................................................................................13
User Authentication HOWTO
i
Table of Contents
6. Resources......................................................................................................................................................14
6.1. PAM...............................................................................................................................................14
6.2. General Security.............................................................................................................................14
6.3. Offline Documentation..................................................................................................................14
7. Conclusion....................................................................................................................................................15
User Authentication HOWTO
ii
1. Introduction
1.1. How this document came to be
When trying to add a number of (mostly unnecessary :) network services to my existing home network, I kept
running into the problem of authentication, so I decided to figure out how authentication works on linux
systems, write a HOWTO, and call it my senior project. I hope this document helps you understand this
often−forgotten, but very important, aspect of system administration.
1.2. New versions
Unitl I get my domain up and running properly, the newest version of this document will be available from
http://www.linuxdoc.org/.
1.3. Feedback
Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to petehern@yahoo.com.
1.4. Copyrights and Trademarks
(c) 2000 Peter Hernberg
This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:
The copyright notice above and this permission notice must be preserved complete on all complete or
partial copies
·
· Any translation or derived work must be approved by the author in writing before distribution.
If you distribute this work in part, instructions for obtaining the complete version of this manual must
be included, and a means for obtaining a complete version provided.
·
Small portions may be reproduced as illustrations for reviews or quotes in other works without this
permission notice if proper citation is given. Exceptions to these rules may be granted for academic
purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to
restrict you as learners and educators. Any source code (aside from the SGML this document was
written in) in this document is placed under the GNU General Public License, available via
anonymous FTP from the GNU archive.
·
1.5. Acknowledgements and Thanks
Thanks to my family for putting up with me for 18 years. Thanks to the Debian folks for making such a sweet
distro for me to play with. Thanks to CGR for paying me to be a geek. Thanks to Sandy Harris for his helpful
suggestions. Finally, I'd like thank the makers of ramen noodles, because I don't know how I'd live without
them.
1. Introduction 1
1.6. Assumptions about the reader
For the purpose of this document, it is assumed that the reader is comfortably with executing commands at the
command line and editing text configuration files.
User Authentication HOWTO
1. Introduction 2
2. How User Information is Stored on Your System
2.1. /etc/passwd
On almost all linux distributions (and commercial *nixes as well), user information is stored in
/etc/passwd, a text file which contains the user's login, their encrypted password, a unique numerical user
id (called the uid), a numerical group id (called the gid), an optional comment field (usually containing such
items as their real name, phone number, etc.), their home directory, and their preferred shell. A typical entry in
/etc/passwd looks something like this:
pete:K3xcO1Qnx8LFN:1000:1000:Peter Hernberg,,,1−800−FOOBAR:/home/pete:/bin/bash
As you can see, it's pretty straight−forward. Each entry contains the six fields I described above, with each
field separated by a colon. If this were as complex as user authentication got, there would be no need for this
HOWTO.
2.2. Shadow passwords
Looking at your /etc/passwd, it's likely that you actually saw something like this:
pete:x:1000:1000:Peter Hernberg,,,1−800−FOOBAR:/home/pete:/bin/bash
Where did the encrypted password go? Before I tell you where it went, a bit explanation is required.
The /etc/passwd file, which contains information about all users, including their encrypted password, is
readable by all users, making it possible for any user to get the encrypted password of everyone on the system.
Though the passwords are encrypted, password−cracking programs are widely available. To combat this
growing security threat, shadow passwords were developed.
When a system has shadow passwords enabled, the password field in /etc/passwd is replaced by an "x"
and the user's real encrypted password is stored in /etc/shadow. Because /etc/shadow is only readable
by the root user, malicious users cannot crack their fellow users' passwords. Each entry in /etc/shadow
contains the user's login, their encrypted password, and a number of fields relating to password expiration. A
typical entry looks like this:
pete:/3GJllg1o4152:11009:0:99999:7:::
2.3. /etc/group and /etc/gshadow
Group information is stored in /etc/group. The format is similar to that of /etc/passwd, with the
entries containing fields for the group name, password, numerical id (gid), and a comma−separated list of
group members. An entry in /etc/group looks like this:
pasta:x:103:spagetti,fettucini,linguine,vermicelli
2. How User Information is Stored on Your System 3
As you can see from the "x" in the password field, group passwords can be shadowed as well. Although
groups almost never have their own passwords, it is worth noting that shadowed group password information
is stored in /etc/gshadow.
2.4. MD5 encrypted passwords
Traditionally, unix passwords were encrypted with the standard crypt() function. (For more information on the
crypt() function, see the crypt(3) manpage.) As computers grew faster, passwords encrypted with this function
became easier to crack. As the internet emerged, tools for distributing the task of password−cracking across
multiple hosts became available. Many 'newer' distributions ship with the option of encrypting passwords with
the stronger MD5 hash algorithm. (For more information on the MD5 hash algorithm, consult RFC 1321.)
While MD5 passwords will not eliminate the threat of password cracking, they will make cracking your
passwords much more difficult.
2.5. Sifting through the mess
As you can see, there are a number of different ways user authentication information can be stored on your
system (shadow passwords without MD5 encryption, /etc/passwd passwords with MD5 encryption, etc.).
How do programs like login and su know how to verify your password? Worse yet, what if you wanted to
change the way passwords are stored on your system? How will programs that need your password know that
passwords are stored differently? PAM is the answer.
User Authentication HOWTO
2. How User Information is Stored on Your System 4
3. PAM (Pluggable Authentication Modules)
Pluggable authentication modules are at the core of user authentication in any modern linux distribution.
3.1. Why
Back in the good old days of linux, if a program, such as su, passwd, login, or xlock, needed to authenticate a
user, it would simply read the necessary information from /etc/passwd. If it needed to change the users'
password, it would simply edit /etc/passwd. This simple but clumsy method presented numerous
problems for system administrators and application developers. As MD5 and shadow passwords became
increasingly popular, each program requiring user authentication had to know how to get the proper
information when dealing with a number of different schemes. If you wanted to change your user
authentication scheme, all these programs had to be recompiled. PAM eliminates this mess by enabling
programs to transparently authenticate users, regardless of how user information is stored.
3.2. What
Quoting from the Linux−PAM System Administrator's Guide: "It is the purpose of the Linux−PAM project to
separate the development of privilege granting software from the development of secure and appropriate
authentication schemes. This is accomplished by providing a library of functions that an application may use
to request that a user be authenticated." With PAM, it doesn't matter whether your password is stored in
/etc/passwd or on a server in Hong Kong. When a program needs to authenticate a user, PAM provides a
library containing the functions for the proper authentication scheme. Because this library is loaded
dynamically, changing authentication schemes can be done by simply editing a configuration file.
Flexibility is one of PAM's greatest strengths. PAM can be configured to deny certain programs the right to
authenticate users, to only allow certain users to be authenticated, to warn when certain programs attempt to
authenticate, or even to deprive all users of login privileges. PAM's modular design gives you complete
control over how users are authenticated.
3.2.1. Distributions that support pam.
Nearly all popular distributions have supported PAM for some time. Here's an incomplete list of distributions
that support PAM:
· Redhat since version 5.0
· Mandrake since 5.2
· Debian since version 2.1 (partial support in 2.1 −− complete support in 2.2)
· Caldera since version 1.3
· Turbolinux since version 3.6
· SuSE since version 6.2
This list is certainly incomplete and possibly inaccurate. I'd appreciate it if you sent any corrections or
additions to this list to .
3. PAM (Pluggable Authentication Modules) 5
3.2.2. Installing PAM
Installing PAM from scratch is long process, beyond the scope of this HOWTO. If PAM isn't installed on
your system, you're probably running such an old version of your distribution that there are many other
reasons to upgrade. If you really want to do it yourself, then you're certainly not the sort of person who needs
any help from me. For all these reasons, I'm going to assume that you already have PAM installed.
3.3. How
Enough talk, let's dig in.
3.3.1. PAM configuration files
PAM configuration files are stored in the /etc/pam.d/ directory. (If you don't have /etc/pam.d/
directory, don't worry, I'll cover that in the next section) Let's go over there and take a look.
~$ cd /etc/pam.d
/etc/pam.d/$ ls
chfn chsh login other passwd su xlock
/etc/pam.d/$
Your system may have a few more or a few less files in this directory, depending on what's installed on your
system. Whatever the details, you probably saw a file for each of the programs on your system that
authenticate users. As you probably already guessed, each file contains the PAM authentication configuration
for the program it's named after (except for the other file, which we'll talk about in a little bit). Let's take a
look the PAM configuration file for login (I've condensed the file for the sake of simplicity):
/etc/pam.d/$ cat login
# PAM configuration for login
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
password required pam_unix.so nullok obscure min=4 max=8
Before I dig into this file, I must mention a little something.
3.3.2. A little something
A small percentage of the readers are probably thinking, "Oh no! I don't have a /etc/pam.d directory! Your list
of distributions says that my distribution includes PAM, but I can't find that directory. Without PAM, my life
is empty and meaningless! What can I do?" Don't worry, all is not lost. If you know that your distribution
includes PAM, but you have no /etc/pam.d/ directory, then your PAM configuration is stored in
/etc/pam.conf. Rather than being spread across several files, all your PAM configuration is stored in a
single file. This adds a little twist to PAM configuration, but the proper adjustments are pointed out in section
3.3.4.
User Authentication HOWTO
3. PAM (Pluggable Authentication Modules) 6
3.3.3. Configuration syntax
PAM configuration files have the following syntax:
type control module−path module−arguments
Using the login configuration file (see above) as an example let's take a look a the syntax for PAM
configuration files:
PAM configuration tokens
type
The type token tells PAM what type of authentication is to be used for this module. Modules of the
same type can be "stacked", requiring a user to meet multiple requirements to be authenticated. PAM
recognizes four types:
account
Determines whether the user is allowed to access the service, whether their passwords has
expired, etc.
auth
Determines whether the user is who they claim to be, usually by a password, but perhaps by a
more sophistcated means, such as biometrics.
password
Provides a mechanism for the user to change their authentication. Again, this usually their
password.
session
Things that should be done before and/or after the user is authenticed. This might included
things such as mounting/unmounting the user home directory, logging their login/logout, and
restricting/unrestricting the services available to the user.
In the login config file, we see at least one entry for each type. Since this the program that allows user
to login (hence the name :), it's understandable that it needs to access all of the different types of
authentication.
control
The control token tells PAM what should be done in if authentication by this module fails. PAM
recognizes four control types:
requisite
Failure to authenticate via this module results in immediate denial of authentication.
required
Failure also results in denial of authentication, although PAM will still call all the other
modules listed for this service before denying authentication.
sufficient
If authentication by this module is successful, PAM will grant authentication, even if a
previous required module failed.
optional
Whether this module succeeds or fails is only significant if it is the only module of its type for
this service.
In the configuration file for login, we see nearly all of the different control types. Most of the required
User Authentication HOWTO
3. PAM (Pluggable Authentication Modules) 7
modules are pam_unix.so (the main authentication module), the single requisite module is
pam_securetty.so (which makes sure the user is logging in on a secure console), and the only
optional module is pam_lastlog.so (the module that retrieves information on the user's most
recent login).
module−path
The module−path tells PAM which module to use and (optionally) where to find it. Most
configurations only contain the module's name, as is the case in our login configuration file. When
this is the case, PAM looks for the modules in the default PAM module directory, normally
/usr/lib/security. However, if your linux distribution conforms to the Filesystem Hierarchy
Standard (FHS), PAM modules can be found in /lib/security.
module−arguments
The module−arguments are arguments to be passed to the module. Each module has its own
arguments. For example, in our login configuration, the "nulok" ("null ok", argument being passed to
pam_unix.so module, indicating the a blank ("null") password is acceptable ("ok").
3.3.4. pam.conf configuration
If your PAM configuration is stored in /etc/pam.conf rather than /etc/pam.d/, PAM configuration
lines are a bit different. Rather than each service having its own configuration file, all configurations are
stored in /etc/pam.conf with the service name as the first token in a configuration line. For example, the
following line in /etc/pam.d/login:
auth required pam_unix.so nulok
would become the following line in /etc/pam.conf:
login auth required pam_unix.so nulok
Except for this minor difference, all the rest of the configuration PAM syntax applies.
3.4. Getting more information
For more information on configuring PAM and complete PAM module reference, consult the Linux−PAM
System Administrator's Guide. This guide serves as a thorough and up−to−date reference on PAM
configuration.
User Authentication HOWTO
3. PAM (Pluggable Authentication Modules) 8
4. Securing User Authentication
Many linux distributions ship with user authentication that is not adequately secure. This section discusses
some of the ways you make user authentication secure on your system. While doing these things will make
your system more secure, do not be so naive as to think they make you invulnerable.
4.1. A strong /etc/pam.d/other
All of the files in /etc/pam.d/ contain the configuration for a particular service. The notable exception to
this rule is the /etc/pam.d/other file. This file contains the configuration for any services which do not
have their own configuration file. For example, if the (imaginary) xyz service attempted authentication, PAM
would look for a /etc/pam.d/xyz file. Not finding one, authentication for xyz would be determined by
the /etc/pam.d/other file. Since /etc/pam.d/other is the configuration to which PAM services
fallback, it is important that it is secure. We will discuss two secure configurations of /etc/pam.d/other,
one which is quite nearly paranoid and one which is gentler.
4.1.1. A paranoid configuration
A paranoid configuration of /etc/pam.d/other is as follows:
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
With this configuration, whenever an unknown service attempts to access any of the four configuration types,
PAM denies authentication (via the pam_deny.so module) and then logs a syslog warning (via the
pam_warn.so module). Short of a bug in PAM, this configuration is brutally secure. The only problem with
that brutality is it may cause problems if your accidentally delete the configuration of another service. If your
/etc/pam.d/login was mistakenly deleted, no one would be able to login!
4.1.2. A kinder configuration
Here's configuration that isn't quite so mean:
auth required pam_unix.so
auth required pam_warn.so
account required pam_unix.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_unix.so
session required pam_warn.so
This configuration will allow an unknown service to authenticate (via the pam_unix.so module), although it
4. Securing User Authentication 9
will not allow it to change the user's password. Although it allows authentication by unknown services, it logs
a syslog warning whenever such a service attempts authentication.
4.1.3. Choosing a /etc/pam.d/other
I would strongly reccomend that you implement the first /etc/pam.d/other configuration unless you
have a very good reason not to. It always a good idea to be 'secure by default'. If you ever do need to grant a
new service authentication privileges, you can simply create a PAM configuration file for that service.
4.2. Disabling logins for user with null passwords
On most linux systems, there a number of "dummy" user accounts, used to assign privileges to certain system
services like ftp, webservers, and mail gateways. Having these accounts allows your system to be more
secure, because if these services are compromised, an attacker will only gain the limited privileges available
to the dummy account, rather than the full privileges of a service running as root. However, allowing these
dummy account login privileges is a security risk, as they usually have blank (null) passwords. The
configuration option that enables null passwords is the "nullok" module−argument. You'll want to remove this
argument from any modules of 'auth' type for services that allow login. This is usually the login service, but it
may also include services like rlogin and ssh. Hence, the following line in /etc/pam.d/login:
auth required pam_unix.so nullok
should be changed to:
auth required pam_unix.so
4.3. Disable unused services
Looking at the files in /etc/pam.d/, you'll probably see configuration files for a number of programs you
don't use and maybe even a few you've never heard of. Although allowing authentication to these services
probably won't open any huge security holes, you're better off denying them authentication. The best way to
disable PAM authentication for these programs is to rename these files. Not finding the file named after the
service requesting authentication, PAM will fallback to the (hopefully) very secure /etc/pam.d/other. If
you later find that you need one of these programs, you can simply rename the file to its original name and
everything will work as it was intended.
4.4. Password−cracking tools
While password−cracking tools can be used by attackers to compromise a system, they can also be used by
system administrators as proactive tool to ensure the strength of passwords on their system. The two most
commonly used password−cracking tools are "crack" and "John the Ripper". Crack is probably included in
your favorite distribution. John the Ripper can be obtained from
http://www.false.com/security/john/index.html. Run the tools against your password database and you'll
probably be surprised with what they come up with.
Additionally, there is a PAM module which utilizes the crack library to check the strength of a users password
User Authentication HOWTO
4. Securing User Authentication 10
whenever it changed. When this module is installed, the user can only change their password to one which
meets the minimum password strength.
4.5. Shadow and MD5 passwords
As was discussed in the first section of this document, Shadow and MD5 passwords can make your system
more secure. During the installation procedure, most modern distributions will ask whether you want to install
MD5 and/or Shadow passwords. Unless you have a good reason not to, you should enable these. The process
of converting from non−shadowed/non−MD5 passwords is a complicated process, and is beyond the scope of
this document. The Shadow Password HOWTO is outdated, but it might be of some help.
User Authentication HOWTO
4. Securing User Authentication 11
5. Tying it all together
In this section, I'll give a simple example which ought to help tie together what's in the previous section.
5.1. Apache + mod_auth_pam
As our example, we'll install and configure mod_auth_pam, an Apache module that allows you to authenticate
users of your webserver using PAM. For the purpose of this example, I'll assume you have apache installed. If
it's not installed already you should be able find installation packages from your distributor.
5.2. Our example
Our goal will be to configure a restricted area of our webserver, a family/ directory, to authenticate users
via PAM. This directory contains private family information, and should only be accessible to members of the
user group family.
5.3. Installing mod_auth_pam
First, you'll want to download mod_auth_pam from http://blank.pages.de/pam/mod_auth_pam/. The following
commands will compile mod_auth_pam (you must be logged in as root):
~# tar xzf mod_auth_pam.tar.gz
~# cd mod_auth_pam−1.0a
~/mod_auth_pam−1.0a# make
~/mod_auth_pam−1.0a# make install
If you have any trouble installing the mod_auth_pam module, make sure you've installed your distribution's
apache−dev package. After you've installed mod_auth_pam, you'll need to restart apache. Apache can usually
by restarted by typing the following command (again, you must be root):
~# /etc/init.d/apache restart
5.4. Configuring PAM
The PAM configuration for Apache is stored in /etc/pam.d/httpd. The default configuration (which
was installed when you installed mod_auth_pam) is secure, but it uses a module (pam_pwdb.so) which may
not be available on many systems. (Besides, configuring it from scratch will be fun!) So delete the
/etc/pam.d/httpd file, and start with a fresh one.
5.4.1. Deciding how to configure PAM
If we're going to configure how PAM deals with Apache's authentication requests, we need to figure out
exactly what we need PAM to check for. First, we want PAM to make sure the user's password matches their
password in the standard unix password database. This sounds like the 'auth' type and the pam_unix.so
module. We'll want the module's control type to be set to 'required', so authentication will fail without a
correct password. Here's what the first line of our /etc/pam.d/httpd looks like:
5. Tying it all together 12
auth required pam_unix.so
Secondly, we must make sure that the users account is valid (i.e. their password has not expired or any such
nastiness). This is the 'account' type and is also provided by the pam_unix.so module. Again, we'll set this
module's control type to 'required'. After adding this line, our /etc/pam.d/httpd configuration looks like
this:
auth required pam_unix.so
account required pam_unix.so
It's not terribly sophisticated, but it does the job. It ought to be a good start for learning how to configure PAM
services.
5.5. Configuring Apache
Now that PAM is configured to authenticate apache's requests, we'll configure apache to properly utilize PAM
authentication to restrict access to the family/ directory. To do so, add the following lines to your
httpd.conf (usually stored in /etc/apache/ or /etc/httpd):

AuthPAM_Enabled on
AllowOverride None
AuthName "Family Secrets"
AuthType "basic"
require group family

You may need to replace /var/www/ with the default location of web documents, which is often
/home/httpd/. Wherever that is, you'll need to create the family directory.
Before we test our setup, I'll take a moment to explain the Apache configuration you just entered. The
directive is used to encapsulate configuration data for this directory. Inside this directive, we've
enabled PAM authentication ("AuthPAM_enabled on"), turned off any overriding of this configuration
("AllowOverride none"), named this authentication zone "Family Secrets" ("AuthName "Family Secrets""),
set the http authentication (not the PAM authentication) type to the default ("AuthType "basic""), and required
the user group family ("require group family").
5.6. Testing our setup
Now that we've got everything setup up properly, it's time to revel in our success. Fire up your favorite web
browser and head over to http://your−domain/family/ (replacing your−domain with, well, your domain). You
are now an uber−authenticator!
User Authentication HOWTO
5. Tying it all together 13
6. Resources
There are a number of resources, both online and offline, where you can more information about user
authentication. If you know of any resources that ought to be added to this list, drop me a line at

6.1. PAM
· Linux−PAM System Administrator's Guide
· Linux−PAM Module Writer's Manual
· Linux−PAM Application Developer's Manual
6.2. General Security
· linuxsecurity.com
· securitywatch.com
· Security HOWTO
· Packetstorm
6.3. Offline Documentation
A lot of information can be gathered from your system's manual pages. The following are some manpages
relating to user authentication. The number in parentheses refers to the manpage section. To view the
passwd(5) manpage, you would enter man 5 passwd.
· passwd(5)
· crypt(3)
· pam.d(5)
· group(5)
· shadow(5)
6. Resources 14
7. Conclusion
I hope you found this HOWTO helpful. If you have any questions, comments, or suggestions, I'd love to hear
from you. You can email me at .
7. Conclusion 15

Linux Apache SSL PHP/FI frontpage mini−HOWTO

Table of Contents
Linux Apache SSL PHP/FI frontpage mini−HOWTO....................................................................................1
Marcus Faure, marcus@faure.de............................................................................................................1
1. Introduction.........................................................................................................................................1
2. Component installation.......................................................................................................................1
3. Putting it all together...........................................................................................................................1
1. Introduction.........................................................................................................................................1
1.1 Description of the components..........................................................................................................1
1.2 Working configurations....................................................................................................................2
1.3 History..............................................................................................................................................2
2. Component installation.......................................................................................................................3
2.1 Preparations.......................................................................................................................................3
2.2 Adding PHP......................................................................................................................................3
2.3 Adding SSL.......................................................................................................................................4
2.4 Adding frontpage..............................................................................................................................4
3. Putting it all together...........................................................................................................................4
3.1 Apache modules to try.......................................................................................................................4
3.2 Giving CGI's more security...............................................................................................................5
3.3 Compiling and installing the server daemon.....................................................................................5
3.4 Adding frontpage support to a web....................................................................................................6
3.5 Starting the daemon..........................................................................................................................7
3.6 Some considerations left....................................................................................................................7
3.7 Known bugs......................................................................................................................................7
3.8 The final word...................................................................................................................................7
Linux Apache SSL PHP/FI frontpage mini−HOWTO
i
Linux Apache SSL PHP/FI frontpage mini−HOWTO
Marcus Faure, marcus@faure.de
v1.1, July 1998
This document is about building a multipurpose webserver that will support dynamic web content via the
PHP/FI scripting language, secure transmission of data based on Netscape's SSL, secure execution of
CGI's and M$ Frontpage Server Extensions
1. Introduction
· 1.1 Description of the components
· 1.2 Working configurations
· 1.3 History
2. Component installation
· 2.1 Preparations
· 2.2 Adding PHP
· 2.3 Adding SSL
· 2.4 Adding frontpage
3. Putting it all together
· 3.1 Apache modules to try
· 3.2 Giving CGI's more security
· 3.3 Compiling and installing the server daemon
· 3.4 Adding frontpage support to a web
· 3.5 Starting the daemon
· 3.6 Some considerations left
· 3.7 Known bugs
· 3.8 The final word
1. Introduction
Before you start reading: I am not a native speaker, so there are probably spelling/grammatical errors in this
document. Feel encouraged to inform me of mistakes.
1.1 Description of the components
The webserver you hopefully will get after having read this howto is composed of several parts, the original
apache sources with some (well, many) patches and some external executables. I recommend using the
Linux Apache SSL PHP/FI frontpage mini−HOWTO 1
software versions I tried, they will probably compile without greater problems and result in a fairly stable
daemon. If you are courageous, you can try to compile all the latest−stuff−with−tons−of−new−features, but
don't blame me if something fails ;−). However, you may report other working configurations to be included
in future versions of this document. All of the steps were tested on a linux 2.0.35 box, so the howto is
somewhat linux−specific, but you should be able to use it for other unixes as well.
You do not necesserily have to compile in all components. I tried to structure this howto so that you can skip
the parts you are not interested in.
The document is neither a user manual to Apache, SSL, PHP/FI nor frontpage. Its prime intention is to save
webservice providers some headaches when installing their server and to do my little contribution to the linux
community.
PHP is a scripting language that supports dynamic HTML pages. It is a bit like Apache's SSI, but by far more
complex and has database modules for many popular dbs. The GD libraries are needed by PHP.
SSL is an implementation of Netscape's Secure Socket Layer that allow secure connections over insecure
networks, e.g. to transmit credit card numbers to web based forms.
frontpage is a wysiwyg web authoring tool that makes use of some server−specific extensions called
webbots. Some people think frontpage is cool because you can create feedback forms and discussion webs
without having to know a bit about html or cgi. It even protects the designer from uploading his/her site via
ftp by using a builtin publisher. If you wish to support frontpage but do not like to setup a windows server,
the apache server extensions are your choice.
1.2 Working configurations
Though this document has been downloaded some 100 times since I published it, I received only little
feedback. In particular, noone told me of other working combinations. Combinations that work for me are:
· Linux 2.0.31, Apache 1.2.4, PHP 2.0.0, SSL 0.8.0, fp 98 3.0.3 (*)
· Linux 2.0.33, Apache 1.2.5, PHP 2.0.1, SSL 0.8.0, fp 98 3.0.3 (*)
· Linux 2.0.35, Apache 1.2.6, PHP 3, SSL 0.8.0, fp 98 3.0.4
(*) version 3.0.3 is not recommended
1.3 History
v0.0/Apr 98: Preview version
v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor corrections
v1.1/Jul 98: Sgmlized and restructered version
You can find the latest version of this document at http://www.faure.de
Linux Apache SSL PHP/FI frontpage mini−HOWTO
1.2 Working configurations 2
2. Component installation
2.1 Preparations
You will need:
· Apache 1.2.6 http://www.apache.org/dist/apache_1_2_6.tar.gz
· PHP/FI Extensions http://php.iquest.net/files/download.phtml?/files/php−2.01.tar.gz
· GD Library http://siva.cshl.org/gd/gd.html
· SSL 0.8.0 ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay−0.8.0.tar.gz
· SSL patch for Apache 1.2.6 ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz
· frontpage 98 server extensions and install script http://www.rtr.com/fpsupport/download.htm
Get the sources you want. Untar apche, php, gd and ssl to /usr/src. Untar the SSL patch to
/usr/src/apache_1.2.6.
2.2 Adding PHP
cd to /usr/src/gd1.2 and type make. This will build the GD library libgd.a, that should be copied to
/usr/lib. Now cd to php−2.0.1 and run ./install.
The relevant questions are:
Would you like to compile PHP/FI as an Apache module? [yN] y
Are you compiling for an Apache 1.1 or later server? [Yn] y
Are you using Apache−Stronghold? [yN] y
Does your Apache server support ELF dynamic loading? [yN] y
Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/src
Would you like to build an ELF shared library? [yN] y
Additional directories to search for .h files []: /usr/src/gd1.2
Would you like the bundled regex library? [yN] n
Like the frontpage extensions, phtml includes a security problem because it is run under the uid of the
webserver. Be sure to turn on safe mode in src/php.h and restrict the search path to a save value. There are
some other options in php.h you may want to edit. If you are very concerned about security, compile php as a
cgi. However, this will be a performance loss and not as smart as the module version.
Type make to build all files. When the compilation is done, copy mod_php.* and libphp.a to
/usr/src/apache_1.2.6/src Add a line
Module php_module mod_php.o
to the end of /usr/src/apache_1.2.6/src/Configuration, add
−lphp −lm −lgdbm −lgd
to the EXTRA_LIBS in the same file,
application/x−httpd−php phtml
to Apache's mime.types and
Linux Apache SSL PHP/FI frontpage mini−HOWTO
2. Component installation 3
AddType application/x−httpd−php .phtml
to Apache's srm.conf.
You may also want to add index.phtml to DirectoryIndex in that file so that a file index.phtml is
automatically loaded when its directory is requested.
2.3 Adding SSL
cd /usr/src/SSL−0.8.0; ./Configure linux−elf; make; make rehash This will
create libraries needed by apache. You may issue make test to verify the compilation. You have to apply
a patch to apache. It is important that you apply it before the frontpage patch, otherwise frontpage will not
work. cd to /usr/src/apache_1.2.6/src and issue patch < /usr/src/apache_1.2.6/SSLpatch. Set SSL_BASE=/usr/src/SSLeay−0.8.0 in Configuration. Make sure that Module proxy_module is disabled otherwise Apache won't compile. If you are in need of a proxy, go for Squid http://squid.nlanr.net/ Now make certificate to generate SSLconf/conf/httpsd.pem. 2.4 Adding frontpage Rename the fp30.linux.tar.Z file to fp30.linux.tar.gz, otherwise the install script will not find it. Run ./fp_install to copy the extension files to /usr/local/frontpage. zcat can usually be invoked as /usr/bin/zcat. You now have to apply the FP patch. cd to /usr/src/apache_1.2.6/src and type patch < /usr/src/frontpage/version3.0/apache−fp/fp−patch−apache_1.2.5 This will create the mod_frontpage.* files and do some modifications to Configuration etc. The 1.2.5 patch will work with both apache 1.2.5 and 1.2.6. Skip the part about installing webs, you can do that later 3. Putting it all together 3.1 Apache modules to try The modules I use besides SSL, PHP and frontpage are: Module env_module mod_env.o Module config_log_module mod_log_config.o Module mime_module mod_mime.o Module negotiation_module mod_negotiation.o Module dir_module mod_dir.o Module cgi_module mod_cgi.o Module asis_module mod_asis.o Module imap_module mod_imap.o Module action_module mod_actions.o Module alias_module mod_alias.o Module rewrite_module mod_rewrite.o Module access_module mod_access.o Module auth_module mod_auth.o Module anon_auth_module mod_auth_anon.o Linux Apache SSL PHP/FI frontpage mini−HOWTO 2.3 Adding SSL 4 Module digest_module mod_digest.o Module expires_module mod_expires.o Module headers_module mod_headers.o Module browser_module mod_browser.o 3.2 Giving CGI's more security If you are an ISP (you probably are when you read this) you will want to improve security. The suexec utility allows you to do so; it will execute cgi's under the UID of the webowner instead of executing it under the webservers UID. Go to /usr/src/apache_1.2.6/support and make suexec. chmod 4711 suxec and copy it to the location specified in ../src/httpd.h which is /usr/local/etc/httpd/sbin/suexec by default. If the path seems a little cryptic to you − it did to me − edit httpd.h and set the path to a more comfortable value. 3.3 Compiling and installing the server daemon Enter /usr/src/apache_1.2.6/src and edit Configuration to set all the Modules you want to include in your Apache daemon. When done, run ./Configure and make. This is the last (and most complicated) compilation step, so cross your fingers. If it succeeds, cp httpsd to /usr/sbin. The daemon is somewhat big, consider this when assembling your webserver. Create the directory /var/httpd with subdirectories cgi−bin, conf, htdocs, icons, virt1, virt2 and logs. In /usr/src/apache_1.2.6/conf edit access.conf−dist, mime.types and srm.conf−dist to suit your needs and copy them to var/httpd/conf/access.conf, srm.conf and mime.types. Copy the httpsd.pem you created with make certificate to /var/httpd/conf. Use the following httpd.conf: ServerType standalone Port 80 Listen 80 Listen 443 User wwwrun Group wwwrun ServerAdmin webmaster@yourhost.com ServerRoot /var/httpd ErrorLog logs/error_log TransferLog logs/access_log PidFile logs/httpd.pid ServerName www.yourhost.com MinSpareServers 3 MaxSpareServers 20 StartServers 3 SSLCACertificatePath /var/httpd/conf SSLCACertificateFile /var/httpd/conf/httpsd.pem SSLCertificateFile /var/httpd/conf/httpsd.pem SSLLogFile /var/httpd/logs/ssl.log
SSLDisable
ServerAdmin webmaster@virt1.com
DocumentRoot /var/httpd/virt1
ScriptAlias /cgi−bin/ /var/httpd/virt1/cgi−bin/
ServerName www.virt1.com
ErrorLog logs/virt1−error.log
TransferLog logs/virt1−access.log
User virt1admin
Linux Apache SSL PHP/FI frontpage mini−HOWTO
3.2 Giving CGI's more security 5
Group users


ServerAdmin webmaster@virt1.com
DocumentRoot /var/httpd/virt1
ScriptAlias /cgi−bin/ /var/httpd/virt1/cgi−bin/
ServerName www.virt1.com
ErrorLog logs/virt1−ssl−error.log
TransferLog logs/virt1−ssl−access.log
User virt1admin
Group users
SSLCACertificatePath /var/httpd/conf
SSLCACertificateFile /var/httpd/conf/httpsd.pem
SSLCertificateFile /var/httpd/conf/httpsd.pem
SSLLogFile /var/httpd/logs/virt1−ssl.log
SSLVerifyClient 0
SSLFakeBasicAuth


SSLDisable
ServerAdmin webmaster@virt2.com
DocumentRoot /var/httpd/virt2
ScriptAlias /cgi−bin/ /var/httpd/virt2/cgi−bin/
ServerName www.virt2.com
ErrorLog logs/virt2−error.log
TransferLog logs/virt2−access.log

Depending on the modules compiled in, not all directives may be available. You can retrieve a list of
available directives with httpsd −h.
3.4 Adding frontpage support to a web
Enter /usr/local/frontpage/version3.0/bin and load ./fpsrvadm. Choose install and
apache−fp. The next questions should be answered the following way:
Enter server config filename: /var/httpd/conf/httpd.conf
Enter host name for multi−hosting []: www.virt2.com
Starting install, port: www.virt2.com:80, web: ""
Enter user's name []: virt2admin
Enter user's password:
Confirm password:
Creating root web
Recalculate links for root web
Install completed.
The user name must be the unix login of the webowner. The password does not necessarily have to match the
system password. You have to manually add sendmailcommand:/usr/sbin/sendmail %r to
/usr/local/frontpage/www.virt2.com:80.conf, otherwise your users will not be able to send
web−generated eMails. kill −HUP your httpsd to make fp reread its config. You can now access
www.virt2.com with your frontpage client.
Under some circumstances fpsrvadm complaints that a root web has to be installed first. This is pretty
useless, but you should do so to silence fpsrvadm.
Linux Apache SSL PHP/FI frontpage mini−HOWTO
3.4 Adding frontpage support to a web 6
3.5 Starting the daemon
Start Apache with httpsd −f /var/httpd/conf/httpd.conf. You can now access
www.virt1.com both through http and https which is pretty cool. Of course you have to pay for a real
certificate if you want to offer webwide SSL or users might laugh at you.
Copy one of the demo files from the php examples directory to virt1 to test phtml.
3.6 Some considerations left
Do not use frontpage 97 extensions. They do not work, at least under Linux. When installing specific
versions of the c++ libraries, they appear to work but your logs will soon fill with premature end of
script headers and your mailbox will fill with complaints. Do not use frontpage 98 extensions before
version 3.0.2.1330. Do not be confused, version numbers are somewhat inheterogenous. When telnetting to
port 80, typing "get / http/1.0" and hitting return twice, you get a version number 3.0.4 for frontpage.
You can find out the more specific version number by executing
/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe −version. Older
versions have a nasty bug that requires httpd.conf to be writable by the gid of the webserver. This should
make you scream if you are at all concerned about security. Versions since 3.0.2.1330 are more usable.
3.7 Known bugs
When touching Recalculate Links in the frontpage client, the server starts a process that consumes
99% cpu cycles and some 10 mb of memory. But even for medium−sized webs and fast machines, the client
sometimes recieves a timeout message, though the calculation will be finished correctly. Inform frontpage
users to be patient and not to hit Recalculate Links several times. Inform yourself to equip the server
with at least 64MB.
Please note that at the time of writing both SSL and frontpage work, but not at the same time, that means you
can neither publish your web using ssl nor make use of the webbots through https. You can publish your web
on port 80 and access it encrypted on port 443, but your counters etc. will be broken. I consider this a bug.
This problem shall be fixed in SSL 0.9.0.
3.8 The final word
For those who think the title of this howto is nearly as long as the document: Did you ever listened to Meat
Loaf?
O.K. readers, you're done for today. Feel free to send me your feedback, eternal gratitude, flowers, ecash,
cars, oil sources etc.
Linux Apache SSL PHP/FI frontpage mini−HOWTO
3.5 Starting the daemon 7

VoIP Howto

VoIP Howto
Table of Contents
VoIP Howto........................................................................................................................................................1
Roberto Arcomano berto@fatamorgana.com..........................................................................................1
1. Introduction.........................................................................................................................................1
2. Background.........................................................................................................................................1
3. Overview.............................................................................................................................................1
4. Technical info about VoIP...................................................................................................................1
5. Requirement........................................................................................................................................1
6. Cards setup..........................................................................................................................................2
7. Setup...................................................................................................................................................2
8. Communications using PSTN line.......................................................................................................2
9. Bandwidth consideration....................................................................................................................2
10. Glossary............................................................................................................................................2
11. Useful links.......................................................................................................................................2
1. Introduction.........................................................................................................................................2
1.1 Introduction.......................................................................................................................................2
1.2 Copyright..........................................................................................................................................3
1.3 Translations.......................................................................................................................................3
1.4 Credits...............................................................................................................................................3
2. Background.........................................................................................................................................3
2.1 The past.............................................................................................................................................3
2.2 Yesterday..........................................................................................................................................4
2.3 Today................................................................................................................................................4
2.4 The future..........................................................................................................................................4
3. Overview.............................................................................................................................................4
3.1 What is VoIP?...................................................................................................................................4
3.2 How does it work? ............................................................................................................................4
3.3 What is the advantages using VoIP rather PSTN?.............................................................................5
3.4 Then, why everybody doesn't use it yet?...........................................................................................5
4. Technical info about VoIP...................................................................................................................5
4.1 Overview on a VoIP connection........................................................................................................5
4.2 Analog to Digital Conversion............................................................................................................6
4.3 Compression Algorithms...................................................................................................................6
4.4 RTP Real Time Transport Protocol...................................................................................................6
4.5 RSVP................................................................................................................................................7
4.6 Quality of Service (QoS)...................................................................................................................7
4.7 H323 Signaling Protocol....................................................................................................................8
5. Requirement........................................................................................................................................9
5.1 Hardware requirement......................................................................................................................9
5.2 Hardware accelerating cards .............................................................................................................9
5.3 Hardware gateway cards..................................................................................................................10
5.4 Software requirement......................................................................................................................10
5.5 Gateway software............................................................................................................................10
5.6 Gatekeeper software........................................................................................................................10
5.7 Other software.................................................................................................................................11
6. Cards setup........................................................................................................................................11
6.1 Quicknet PhoneJack........................................................................................................................11
Software installation.................................................................................................................11
Settings.....................................................................................................................................12
VoIP Howto
i
Table of Contents
6.2 Quicknet LineJack..........................................................................................................................12
6.3 VoiceTronix products......................................................................................................................12
7. Setup.................................................................................................................................................12
7.1 Simple communication: IP to IP......................................................................................................13
7.2 Using names....................................................................................................................................13
7.3 Internet calling using a WINS server...............................................................................................13
7.4 ILS server........................................................................................................................................14
7.5 A big problem: the masquering.......................................................................................................14
7.6 Open Source applications................................................................................................................15
Ohphone Sintax.........................................................................................................................15
Gnomemeeting.........................................................................................................................15
7.7 Setting up a gatekeeper....................................................................................................................15
7.8 Setting up a gateway........................................................................................................................16
7.9 Compatibility Matrix.......................................................................................................................16
8. Communications using PSTN line.....................................................................................................17
8.1 Overview.........................................................................................................................................17
8.2 Scenario...........................................................................................................................................17
8.3 What can be changed in this configuration? ...................................................................................17
9. Bandwidth consideration..................................................................................................................18
10. Glossary..........................................................................................................................................19
11. Useful links.....................................................................................................................................19
11.1 Open software link.........................................................................................................................19
11.2 Commercial link...........................................................................................................................19
VoIP Howto
ii
VoIP Howto
Roberto Arcomano berto@fatamorgana.com
v1.7, August 7, 2002
Voice Over IP is a new communication means that let you telephone with Internet at almost null cost. How
this is possible, what systems are used, what is the standard, all that is covered by this Howto. Web site
http://www.fatamorgana.com/bertolinux contains latest version of this document.
1. Introduction
· 1.1 Introduction
· 1.2 Copyright
· 1.3 Translations
· 1.4 Credits
2. Background
· 2.1 The past
· 2.2 Yesterday
· 2.3 Today
· 2.4 The future
3. Overview
· 3.1 What is VoIP?
· 3.2 How does it work?
· 3.3 What is the advantages using VoIP rather PSTN?
· 3.4 Then, why everybody doesn't use it yet?
4. Technical info about VoIP
· 4.1 Overview on a VoIP connection
· 4.2 Analog to Digital Conversion
· 4.3 Compression Algorithms
· 4.4 RTP Real Time Transport Protocol
· 4.5 RSVP
· 4.6 Quality of Service (QoS)
· 4.7 H323 Signaling Protocol
5. Requirement
· 5.1 Hardware requirement
VoIP Howto 1
· 5.2 Hardware accelerating cards
· 5.3 Hardware gateway cards
· 5.4 Software requirement
· 5.5 Gateway software
· 5.6 Gatekeeper software
· 5.7 Other software
6. Cards setup
· 6.1 Quicknet PhoneJack
· 6.2 Quicknet LineJack
· 6.3 VoiceTronix products
7. Setup
· 7.1 Simple communication: IP to IP
· 7.2 Using names
· 7.3 Internet calling using a WINS server
· 7.4 ILS server
· 7.5 A big problem: the masquering.
· 7.6 Open Source applications
· 7.7 Setting up a gatekeeper
· 7.8 Setting up a gateway
· 7.9 Compatibility Matrix
8. Communications using PSTN line
· 8.1 Overview
· 8.2 Scenario
· 8.3 What can be changed in this configuration?
9. Bandwidth consideration
10. Glossary
11. Useful links
· 11.1 Open software link
· 11.2 Commercial link
1. Introduction
1.1 Introduction
This document explains about VoIP systems. Recent happenings like Internet diffusion at low cost, new
VoIP Howto
6. Cards setup 2
integration of dedicated voice compression processors, have changed common user requirements allowing
VoIP standards to diffuse. This howto tries to define some basic lines of VoIP architecture.
Please send suggestions and critics to my email address
1.2 Copyright
Copyright (C) 2000,2001 Roberto Arcomano. This document is free; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version. This document is distributed in the hope that it
will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You can get a
copy of the GNU GPL here
1.3 Translations
If you want to translate this document you are free, you only have to:
1. Check that another version of it doesn't already exist at your local LDP
2. Maintain all 'Introduction' section (including 'Introduction', 'Copyright', 'Translations', 'Credits').
Warning! You don't have to translate TXT or HTML file, you have to modify LYX file, so that it is possible
to convert it all other formats (TXT, HTML, RIFF, etc.): to do that you can use "LyX" application you
download from http://www.lyx.org.
No need to ask me to translate! You just have to let me know (if you want) about your translation.
Thank you for your translation!
1.4 Credits
Thanks to Fatamorgana Computers for hardware equipment and experimental opportunity.
Thanks to Linux Documentation Project for publishing and uploading my document in a very quickly
fashion.
Thanks to David Price for his support.
2. Background
2.1 The past
More than 30 years ago Internet didn't exist. Interactive communications were only made by telephone at
PSTN line cost.
VoIP Howto
1.2 Copyright 3
Data exchange was expansive (for a long distance) and no one had been thinking to video interactions (there
was only television that is not interactive, as known).
2.2 Yesterday
Few years ago we saw appearing some interesting things: PCs to large masses, new technologies to
communicate like cellular phones and finally the great net: Internet; people begun to communicate with new
services like email, chat, etc. and business reborned with the web allowing people buy with a "click".
2.3 Today
Today we can see a real revolution in communication world: everybody begins to use PCs and Internet for
job and free time to communicate each other, to exchange data (like images, sounds, documents) and,
sometimes, to talk each other using applications like Netmeeting or Internet Phone. Particularly starts to
diffusing a common idea that could be the future and that can allow real−time vocal communication: VoIP.
2.4 The future
We cannot know what is the future, but we can try to image it with many computers, Internet almost
everywhere at high speed and people talking (audio and video) in a real time fashion. We only need to know
what will be the means to do this: UMTS, VoIP (with video extension) or other? Anyway we can notice that
Internet has grown very much in the last years, it is free (at least as international means) and could be the
right communication media for future.
3. Overview
3.1 What is VoIP?
VoIP stands for 'V'oice 'o'ver 'I'nternet 'P'rotocol. As the term says VoIP tries to let go voice (mainly human)
through IP packets and, in definitive through Internet. VoIP can use accelerating hardware to achieve this
purpose and can also be used in a PC environment.
3.2 How does it work?
Many years ago we discovered that sending a signal to a remote destination could have be done also in a
digital fashion: before sending it we have to digitalize it with an ADC (analog to digital converter), transmit
it, and at the end transform it again in analog format with DAC (digital to analog converter) to use it.
VoIP works like that, digitalizing voice in data packets, sending them and reconverting them in voice at
destination.
Digital format can be better controlled: we can compress it, route it, convert it to a new better format, and so
on; also we saw that digital signal is more noise tolerant than the analog one (see GSM vs TACS).
TCP/IP networks are made of IP packets containing a header (to control communication) and a payload to
transport data: VoIP use it to go across the network and come to destination.
VoIP Howto
2.2 Yesterday 4
Voice (source) − − ADC − − − − Internet − − − DAC − − Voice (dest)
3.3 What is the advantages using VoIP rather PSTN?
When you are using PSTN line, you typically pay for time used to a PSTN line manager company: more time
you stay at phone and more you'll pay. In addition you couldn't talk with other that one person at a time.
In opposite with VoIP mechanism you can talk all the time with every person you want (the needed is that
other person is also connected to Internet at the same time), as far as you want (money independent) and, in
addition, you can talk with many people at the same time.
If you're still not persuaded you can consider that, at the same time, you can exchange data with people are
you talking with, sending images, graphs and videos.
3.4 Then, why everybody doesn't use it yet?
Unfortunately we have to report some problem with the integration between VoIP architecture and Internet.
As you can easy imagine, voice data communication must be a real time stream (you couldn't speak, wait for
many seconds, then hear other side answering): this is in contrast with the Internet heterogeneous architecture
that can be made of many routers (machines that route packets), about 20−30 or more and can have a very
high round trip time (RTT), so we need to modify something to get it properly working.
In next sections we'll try to understand how to solve this great problem. In general we know that is very
difficult to guarantee a bandwidth in Internet for VoIP application.
4. Technical info about VoIP
Here we see some important info about VoIP, needed to understand it.
4.1 Overview on a VoIP connection
To setup a VoIP communication we need:
1. First the ADC to convert analog voice to digital signals (bits)
Now the bits have to be compressed in a good format for transmission: there is a number of protocols
we'll see after.
2.
Here we have to insert our voice packets in data packets using a real−time protocol (typically RTP
over UDP over IP)
3.
4. We need a signaling protocol to call users: ITU−T H323 does that.
At RX we have to disassemble packets, extract datas, then convert them to analog voice signals and
send them to sound card (or phone)
5.
All that must be done in a real time fashion cause we cannot waiting for too long for a vocal answer!
(see QoS section)
6.
Base architecture
Voice )) ADC − Compression Algorithm − Assembling RTP in TCP/IP −−−−−
VoIP Howto
3.3 What is the advantages using VoIP rather PSTN? 5
−−−−> |
<−−−− |
Voice (( DAC − Decompress. Algorithm − Disass. RTP from TCP/IP −−−−−
4.2 Analog to Digital Conversion
This is made by hardware, typically by card integrated ADC.
Today every sound card allows you convert with 16 bit a band of 22050 Hz (for sampling it you need a freq
of 44100 Hz for Nyquist Principle) obtaining a throughput of 2 bytes * 44100 (samples per second) = 88200
Bytes/s, 176.4 kBytes/s for stereo stream.
For VoIP we needn't such a throughput (176kBytes/s) to send voice packet: next we'll see other coding used
for it.
4.3 Compression Algorithms
Now that we have digital data we may convert it to a standard format that could be quickly transmitted.
PCM, Pulse Code Modulation, Standard ITU−T G.711
· Voice bandwidth is 4 kHz, so sampling bandwidth has to be 8 kHz (for Nyquist).
· We represent each sample with 8 bit (having 256 possible values).
· Throughput is 8000 Hz *8 bit = 64 kbit/s, as a typical digital phone line.
In real application mu−law (North America) and a−law (Europe) variants are used which code analog
signal a logarithmic scale using 12 or 13 bits instead of 8 bits (see Standard ITU−T G.711).
·
ADPCM, Adaptive differential PCM, Standard ITU−T G.726
It converts only the difference between the actual and the previous voice packet requiring 32 kbps (see
Standard ITU−T G.726).
LD−CELP, Standard ITU−T G.728
CS−ACELP, Standard ITU−T G.729 and G.729a
MP−MLQ, Standard ITU−T G.723.1, 6.3kbps, Truespeech
ACELP, Standard ITU−T G.723.1, 5.3kbps, Truespeech
LPC−10, able to reach 2.5 kbps!!
This last protocols are the most important cause can guarantee a very low minimal band using source coding;
also G.723.1 codecs have a very high MOS (Mean Opinion Score, used to measure voice fidelity) but
attention to elaboration performance required by them, up to 26 MIPS!
4.4 RTP Real Time Transport Protocol
Now we have the raw data and we want to encapsulate it into TCP/IP stack. We follow the structure:
VoIP data packets
RTP
UDP
IP
I,II layers
VoIP Howto
4.2 Analog to Digital Conversion 6
VoIP data packets live in RTP (Real−Time Transport Protocol) packets which are inside UDP−IP packets.
Firstly, VoIP doesn't use TCP because it is too heavy for real time applications, so instead a UDP (datagram)
is used.
Secondly, UDP has no control over the order in which packets arrive at the destination or how long it takes
them to get there (datagram concept). Both of these are very important to overall voice quality (how well you
can understand what the other person is saying) and conversation quality (how easy it is to carry out a
conversation). RTP solves the problem enabling the receiver to put the packets back into the correct order and
not wait too long for packets that have either lost their way or are taking too long to arrive (we don't need
every single voice packet, but we need a continuous flow of many of them and ordered).
Real Time Transport Protocol
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+
|V=2|P|X| CC |M| PT | sequence number |
+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+
| timestamp |
+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+
| synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| contributing source (CSRC) identifiers |
| .... |
+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+−+
Where:
· V indicates the version of RTP used
· P indicates the padding, a byte not used at bottom packet to reach the parity packet dimension
· X is the presence of the header extension
CC field is the number of CSRC identifiers following the fixed header. CSRC field are used, for
example, in conference case.
·
· M is a marker bit
· PT payload type
For a complete description of RTP protocol and all its applications see relative RFCs 1889 and 1890.
4.5 RSVP
There are also other protocols used in VoIP, like RSVP, that can manage Quality of Service (QoS).
RSVP is a signaling protocol that requests a certain amount of bandwidth and latency in every network hop
that supports it.
For detailed info about RSVP see the RFC 2205
4.6 Quality of Service (QoS)
We said many times that VoIP applications require a real−time data streaming cause we expect an interactive
data voice exchange.
VoIP Howto
4.5 RSVP 7
Unfortunately, TCP/IP cannot guarantee this kind of purpose, it just make a "best effort" to do it. So we need
to introduce tricks and policies that could manage the packet flow in EVERY router we cross.
So here are:
TOS field in IP protocol to describe type of service: high values indicate low urgency while more and
more low values bring us more and more real−time urgency
1.
Queuing packets methods:
1. FIFO (First in First Out), the more stupid method that allows passing packets in arrive order.
WFQ (Weighted Fair Queuing), consisting in a fair passing of packets (for example, FTP
cannot consume all available bandwidth), depending on kind of data flow, typically one
packet for UDP and one for TCP in a fair fashion.
2.
3. CQ (Custom Queuing), users can decide priority.
PQ (Priority Queuing), there is a number (typically 4) of queues with a priority level each
one: first, packets in the first queue are sent, then (when first queue is empty) starts sending
from the second one and so on.
4.
CB−WFQ (Class Based Weighted Fair Queuing), like WFQ but, in addition, we have classes
concept (up to 64) and the bandwidth value associated for each one.
5.
2.
Shaping capability, that allows to limit the source to a fixed bandwidth in:
1. download
2. upload
3.
4. Congestion Avoidance, like RED (Random Early Detection).
For an exhaustive information about QoS see Differentiated Services at IETF.
4.7 H323 Signaling Protocol
H323 protocol is used, for example, by Microsoft Netmeeting to make VoIP calls.
This protocol allow a variety of elements talking each other:
Terminals, clients that initialize VoIP connection. Although terminals could talk together without
anyone else, we need some additional elements for a scalable vision.
1.
Gatekeepers, that essentially operate:
1. address translation service, to use names instead IP addresses
2. admission control, to allow or deny some hosts or some users
3. bandwidth management
2.
3. Gateways, points of reference for conversion TCP/IP − PSTN.
4. Multipoint Control Units (MCUs) to provide conference.
5. Proxies Server also are used.
h323 allows not only VoIP but also video and data communications.
Concerning VoIP, h323 can carry audio codecs G.711, G.722, G.723, G.728 and G.729 while for video it
supports h261 and h263.
More info about h323 is available at Openh323 Standards, at this h323 web site and at its standard
description: ITU H−series Recommendations.
VoIP Howto
4.7 H323 Signaling Protocol 8
You can find it implemented in various application software like Microsoft Netmeeting, Net2Phone, DialPad,
... and also in freeware products you can find at Openh323 Web Site.
5. Requirement
5.1 Hardware requirement
To create a little VoIP system you need the following hardware:
1. PC 386 or more
2. Sound card, full duplex capable
a network card or connection to internet or other kind of interface to allow communication between 2
PCs
3.
All that has to be present twice to simulate a standard communication.
The tool above are the minimal requirement for a VoIP connection: next we'll see that we should (and in
Internet we must) use more hardware to do the same in a real situation.
Sound card has be full duplex unless we couldn't hear anything while speaking!
As additional you can use hardware cards (see next) able to manage data stream in a compressed format (see
Par 4.3).
5.2 Hardware accelerating cards
We can use special cards with hardware accelerating capability. Two of them (and also the only ones directly
managed by the Linux kernel at this moment) are the
1. Quicknet PhoneJack
2. Quicknet LineJack
3. VoiceTronix V4PCI
4. VoiceTronix VPB4
5. VoiceTronix VPB8L
Quicknet PhoneJack is a sound card that can use standard algorithms to compress audio stream like G723.1
(section 4.3) down to 4.1 Kbps rate.
It can be connected directly to a phone (POTS port) or a couple mic−speaker.
It has a ISA or PCI connector bus.
Quicknet LineJack works like PhoneJack with some addition features (see next).
VoiceTronix V4PCI is a PCI card pretty like Quicknet LineJack but with 4 phone ports
VoiceTronix VPB4 is a ISA card equivalent to V4PCI.
VoIP Howto
5. Requirement 9
VoiceTronix VPB8L is a logging card with 8 ports.
For more info see Quicknet web site and VoiceTronix web site
5.3 Hardware gateway cards
Quicknet LineJack and VoiceTronix cards can be connected to a PSTN line allowing VoIP gateway feature.
Then you'll need a software to manage it (see after).
5.4 Software requirement
We can choose what O.S. to use:
1. Win9x
2. Linux
Under Win9x we have Microsoft Netmeeting, Internet Phone, DialPad or others or Internet Switchboard
(from Quicknet web site) for Quicknet cards.
Warning!!: Latest Quicknet cards using Swithboard (older version too) NEED to be connected to Internet to
get working for managing Microtelco account (not free of charge), so if you plan to remain isolated from
Internet you need to install OpenH323 software.
For VoiceTronix cards you can find software at VoiceTronix web site
Under Linux we have free software GnomeMeeting, a clone of Microsoft Netmeeting, while in console mode
we use (also free software) applications from OpenH323 web site: simph323 or ohphone that can also work
with Quicknet accelerating hardware.
Attention: all Openh323 source code has to be compiled in a user directory (if not it is necessary to change
some environment variable). You are warned that compiling time could be very high and you could need a lot
of RAM to make it in a decent time.
5.5 Gateway software
To manage gateway feature (join TCP/IP VoIP to PSTN lines) you need some kind of software like this:
Internet SwitchBoard (only when connected to Internet) for Windows systems also acting as a h323
terminal;
·
· PSTNGw for Linux and Windows systems you download from OpenH323.
5.6 Gatekeeper software
You can choose as gatekeeper:
1. Opengatekeeper, you can download from opengatekeeper web site for Linux and Win9x.
2. Openh323 Gatekeeper (GK) from here.
VoIP Howto
5.3 Hardware gateway cards 10
5.7 Other software
In addition I report some useful software h323 compliant:
Phonepatch, able to solve problems behind a NAT firewall. It simply allows users (external or
internal) calling from a web page (which is reachable from even external and internal users): when
web application understands the remote host is ready, it calls (h323) the source telling it all is ok and
communication can be established. Phonepatch is a proprietary software (with also a demo version
for no more than 3 minutes long conversations) you download from here.
·
6. Cards setup
Here we see how to configure special hardware card in Linux and Windows environment.
6.1 Quicknet PhoneJack
As we saw, Quicknet Phonejack is a sound card with VoIP accelerating capability. It supports:
· G.711 normal and mu/A−law, G.728−9, G.723.1 (TrueSpeech) and LPC10.
· Phone connector (to allow calling directly from your phone) or
· Mic & speaker jacks.
Quicknet PhoneJack is a ISA (or PCI) card to install into your Pc box. It can work without an IRQ.
Software installation
Under Windows you have to install:
1. Card driver
2. Internet Switchboard application (working only with Internet, using newer Quicknet cards)
all downloadable from Quicknet web site
After Switchboard has been installed, you need to register to Quicknet to obtain full capability of your card.
When you pick up the phone Internet Switchboard wakes up and waits for your calling number (directly
entered from your phone), you can:
1. enter an asterisk, then type an IP number (with asterisks in place of dot) with a # in the end
type directly a PSTN phone number (with international prefix) to call a classic phone user. In this
case you need a registration to a gateway manager to which pay for time.
2.
enter directly a quick dial number (up to 2 digits) you have previously stored which make a call (IP
or PSTN).
3.
Internet Swichboard is h323 compatible, so if you can use, for example, Microsoft Netmeeting at the other
end to talk.
Warning!! Internet Switchboard NEED to be connected to Internet when used with newer Quicknet cards
VoIP Howto
5.7 Other software 11
In place of Internet Switchboard you can use openh323 application openphone (using GUI) or
ohphone (command line).
Under Linux you have to install:
Card driver, from Quicknet web site. After downloaded you have to compile it (you must have a
/usr/src/linux soft or hard link to your Linux source directory): type make for instructions.
1.
2. Application openphone or ohphone.
3. If you are a developer you can use SDK to create your own application (also for Windows).
Settings
With Internet Switchboard (and with other application) you can:
1. Change compression algorithm preferred
2. Tune jitter delay
3. Adjust volume
4. Adjust echo cancellation level.
6.2 Quicknet LineJack
This card is very similar to the previous, it supports also gateway feature.
We only notice that we have to download PSTNGx application (for Linux and Windows) or we use Internet
Switchboard to gateway feature.
6.3 VoiceTronix products
1. First download software here
2. Untar it
3. Modify 'src/vpbreglinux.cpp' according to file README
4. type 'make'
5. type 'make install'
6. cd to src
7. type 'insmod vpb.o'
8. retrieve (from console of from 'dmesg' output command) major number, say MAJOR
9. type 'mknod /dev/vpb0 c MAJOR 0' where MAJOR is the above number
10. cd to unittest and type './echo'
Follow README file for more help.
I personally haven't tested VoiceTronix products so please contact VoiceTronix web site for support.
7. Setup
In this chapter we try to setup VoIP system, simple at first, then more and more complex.
VoIP Howto
Settings 12
7.1 Simple communication: IP to IP
A (Sound card) − − − B (Sound card)
192.168.1.1 − − − 192.168.1.2
192.168.1.1 calls 192.168.1.2 and viceversa.
A and B should have
an application like Microsoft Netmeeting, Internet Switchboard, Openh323 (under Windows
environment) or Ohphone, Gnomemeeting (under Linux), installed and properly configured.
1.
2. a network card or other kind of TCP/IP interface to talk each other.
In this kind of view A can make a H323 call to B (if B has server side application active) using B IP address.
Then B can answer to it if it wants. After accepting call, VoIP data packets start to flow.
7.2 Using names
Under Microsoft Windows a NetBIOS name can be used instead of an IP address.
A − − − B
192.168.1.1 − − − 192.168.1.2
John − − − Alice
John calls Alice.
This is possible cause John call request to Alice is converted to IP calling by the NetBIOS protocol.
The above 2 examples are very easy to implement but aren't scalable.
In a more big view such as Internet it is impossible to use direct calling cause, usually, the callers don't know
the destination IP address. Furthermore NetBIOS naming feature cannot work cause it uses broadcast
messages, which typically don't pass ISP routers .
You can also use DNS to solve name in IP address: for example you can call ''box.domain.com''.
7.3 Internet calling using a WINS server
The NetBIOS name calling idea can be implemented also in a Internet environment, using a WINS server:
NetBIOS clients can be configured to use a WINS server to resolve names.
PCs using the same WINS server will be able to make direct calling between them.
A (WINS Server is S) − − − − I − − − − B (WINS Server is S)
N
T
E − − − − − S (WINS Server)
C (WINS Server is S) − − − − R
VoIP Howto
7.1 Simple communication: IP to IP 13
N
E − − − − D (WINS Server is S)
T
Internet communication
A, B, C and D are in different subnets, but they can call each other in a NetBIOS name calling fashion. The
needed is that all are using S as WINS Server.
Note: WINS server hasn't very high performance cause it use NetBIOS feature and should only be used for
joining few subnets.
7.4 ILS server
ILS is a kind of server which allows you to solve your name during an H323 calling: when you start VoIP
application you first register to ILS server using a name, then everyone will be able to see you using that
name (if he uses same Server ILS!).
7.5 A big problem: the masquering.
A problem of few IPs is commonly solved using the so called masquering (also NAT, network address
translation): there is only 1 IP public address (that Internet can directly "see"), the others machines are
"masqueraded" using all this IP.
A − − −
B − − − Router with NAT − − − Internet
C − − −
This doesn't work
In the example A,B and C can navigate, pinging, using mail and news services with Internet people, but they
CANNOT make a VoIP call. This because H323 protocol send IP address at application level, so the answer
will never arrive to source (that is using a private IP address).
Solutions:
there is a Linux module that modifies H323 packets avoiding this problem. You can download the
module here. To install it you have to copy it to source directory specified, modify Makefile and go
compiling and installing module with "modprobe ip_masq_h323". Unfortunately this module cannot
work with ohphone software at this moment (I don't know why).
·
A − − − Router with NAT
B − − − + − − − Internet
C − − − ip_masq_h323 module
This works
VoIP Howto
7.4 ILS server 14
· There is a application program that also solves this problem: for more see Par 5.7
A − − −
B − − − PhonePatch − − − Internet
C − − −
This works
7.6 Open Source applications
Ohphone Sintax
Sintax is:
"ohphone −l|−−listen [options]"
"ohphone [options]... address"
· "−l", listen to standard port (1720)
· "address", mean that we don't wait for a call, but we connect to "address" host
· "−n", "−−no−gatekeeper", this is ok if we haven't a gatekeeper
· "−q num", "−−quicknet num", it uses Quicknet card, device /dev/phone(num)
· "−s device", "−−sound device", it uses /dev/device sound device.
· "−j delay", "−−jitter delay", it change delay buffer to "delay".
Also, when you start ohphone, you can give command to the interpreter directly (like decrease AEC,
Automatic Echo Cancellation).
Gnomemeeting
Gnomemeeting is an application using GUI interface to make call using VoIP. It is very simple to use and
allows you to use ILS server, chat and other things.
7.7 Setting up a gatekeeper
You can also experiment gatekeeper feature
Example
(Terminal H323) A − − −
\
(Terminal H323) B − − − D (Gatekeeper)
/
(Terminal H323) C − − −
Gatekeeper configuration
1. Hosts A,B and C have gatekeeper setting to point to D.
VoIP Howto
7.6 Open Source applications 15
At start time each host tells D own address and own name (also with aliases) which could be used by
a caller to reach it.
2.
When a terminal asks D for an host, D answers with right IP address, so communication can be
established.
3.
We have to notice that the Gatekeeper is able only to solve name in IP address, it couldn't join hosts that
aren't reachable each other (at IP level), in other words it couldn't act as a NAT router.
You can find gatekeeper code here: openh323 library is also required.
Program has only to be launch with −d (as daemon) or −x (execute) parameter.
In addition you can use a config file (.ini) you find here.
7.8 Setting up a gateway
As we said, gateway is an entity that can join VoIP to PSTN lines allowing us to made call from Internet to a
classic telephone. So, in addition, we need a card that could manage PSTN lines: Quicknet LineJack does it.
From OpenH323 web site we download:
1. driver for Linejack
2. PSTNGw application to create our gateway.
If executable doesn't work you need to download source code and openh323 library, then install all in a home
user directory.
After that you only need to launch PSTNGw to start your H323 gateway.
7.9 Compatibility Matrix
First Matrix refers to:
1. Software intercommunications (i.e. Netmeeting with SwitchBoard)
2. Software/Driver/Hardware talking (i.e. Netmeeting can use a PhoneJACK card).
_____________________________________________________________________________________________________________________
| | Netmeeting |SwitchBoard | Simph323 | OhPhone | LinPhone |Speak−Freely|HW PhoneJACK||____________|____________|____________|____________|____________|_____________|____________|____________|____________|
| Netmeeting | V V V V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
|SwitchBoard | V V V V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
| Simph323 | V V V V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
| OhPhone | V V V V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
| LinPhone | X X X X V X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
|SpeakFreely | X X X X X V |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
|HW PhoneJACK| V V X V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
VoIP Howto
7.8 Setting up a gateway 16
|HW LineJACK | V V X V X X |____________|____________|____________|____________|____________|_____________|____________|____________|____________|
Second Matrix refers to Gateway softwares that manage LineJACK card.
___________________________________________________________
| |HW LineJACK GW| SwitchBoard | PSTNGW |
|______________|______________|______________|______________|
|HW LineJACK GW| _ | V | V |
|______________|______________|______________|______________|
| SwitchBoard | V | _ | _ |
|______________|______________|______________|______________|
| PSTNGW | V | _ | _ |
|______________|______________|______________|______________|
Notation:
· V : Works
· X : Doesn't Work
· −− : Doesn't care
8. Communications using PSTN line
8.1 Overview
VoIP becomes very interesting when you start to use PSTN lines to call other people in the world, directly to
their home telephone.
8.2 Scenario
A typical application is like that:
Home telephone1 −− (PSTN) −− PC1 −− (Internet) −− PC2 −− (PSTN) −− Home telephone2
Home Telephone1 make a calls to PC1 phone number (using PSTN line, I mean classic telephone
line).
1.
2. PC1 answer to it.
Home telephone1 must tell PC1 what gateway use (PC2 in this case) by giving the IP address (from
DTMF keyboard) and/or what number call (in this case Home telephone2).
3.
After that PC1 will start to make an H323 call to PC2, then it will pass Home telephone2 to PC2 to
make it call it throught PSTN line.
4.
Home telephone2 answers to call and communication between Home telephone1 and Home
telephone2 begins.
5.
8.3 What can be changed in this configuration?
You may use a PBX to select many lines to access many PC1 gateway (for example one to call
within your state, one to go accross Europe, and so on...): typically you don't have to change this,
cause cost is always the same.
1.
VoIP Howto
8. Communications using PSTN line 17
You can select (after called your PC1 gateway) every PC2 you want (for example a PC2 living in
England to call an English person so that you'd pay only intra−country costs).
2.
So your decision will be taken considering PSTN line costs. In fact what VoIP does is the convert this:
Home Telephone1 −−− (PSTN) −−− Home Telephone2
PSTN great distance calling cost
into this:
Home Telephone1 −−− (PSTN) −−− PC1 +
PC2 −−−− (PSTN) −−− Home Telephone2 =
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 PSTN short distance calling costs
To save money you need that:
2 PSTN short distance calling costs < PSTN great distance calling cost
Typically "short distance calling" refers to a "city cal" while "great distance calling" can be an
"intercontinental call"!
9. Bandwidth consideration
From all we said before we noticed that we still have not solved problems about bandwidth, how to create a
real time streaming of data.
We know we couldn't find a solution unless we enable a right real−time manager protocol in each router we
cross, so what do we can do?
First we try to use a very (as more as possible) high rate compression algorithms (like LPC10 which only
consumes a 2.5 kbps bandwidth, about 313 bytes/s).
Then we starts classify our packets, in TOS field, with the most high priority level, so every router help us
having urgently.
Important: all that is not sufficient to guarantee our conversation would always be ok, but without an great
infrastructure managing shaping, bandwidth reservation and so on, it is not possible to do it, TCP/IP is not a
real time protocol.
A possible solution could be starts with little WAN at guaranteed bandwidth and get larger step by step.
We finally have to notice a thing: also the so called guaranteed services like PSTN line could not manage all
clients they have: for example a GSM call is not able to manage more that some hundred or some thousand of
clients.
Anyway for a starting service, limited to few users, VoIP can be a valid alternative to classic PSTN service.
VoIP Howto
9. Bandwidth consideration 18
10. Glossary
PSTN: Public Switched Telephone Network
VoIP: Voice over Internet Protocol
LAN: Local Area Network
WAN: Wide Area Network
TOS: Type Of Service
ISP: Internet Service Provider
RTP: Real Time Protocol
RSVP: ReSerVation Protocol
QoS: Quality of Service
11. Useful links
11.1 Open software link
· Voxilla
· Linux Telephony
· Open H323 web site
· http://www.gnomemeeting.org/
· Speak Freely
· http://www.linphone.org
· http://www.fsf.org/software/osip
· http://www.gnu.org/software/bayonne
11.2 Commercial link
· Fatamorgana Computers
· International Communication Union
· Voicetronix web site
· Quicknet Web site
· Cisco Systems
· www.metropark.com
· www.nbxsoftware.com
VoIP Howto
10. Glossary 19