RON Remote Monitoring Nodes
RON nodes need to send inbound and outbound TCP, UDP, and ICMP
packets. For this reason, and to reduce any administrative hassle
of granting access to internal networks, we suggest that RON nodes
be placed outside of your firewall, or in a demilitarized zone
(DMZ). We won't be sniffing packets on the network; for RON
nodes (not nodes to which we've been given access), we will
work to ensure that the machine is as secure as we can make it by
turning off all services but sshd and our software.
If you're unsure if a particular machine will be suitable for
use by RON, please don't hesitate to ask us.
Configuring for RON access
If you're granting the RON project access to an existing FreeBSD
machine on your network, here are the steps you'll need to take:
- Create an account named ron. Give the account
a disabled password (* in the master.passwd file).
For instance, our RON entry locally looks like:
ron:*:27501:27501::0:0:Resilient Overlay Networks account:/export/home/ron:/bin/tcsh
Be sure to create a home directory for the RON account, and
set up its permissions properly: chmod 711
- Assign the account a temporary password, and contact us via
or telephone (+1.617.452.2821) to tell us the temporary
- Place the RON ssh key in
/ron/home/dir/.ssh/authorized_keys and then
chmod 644 /ron/home/dir/.ssh/authorized_keys
The easiest way to do this is to cd to the RON .ssh
directory and then issue this series of commands:
mv ron.key.pub authorized_keys
chmod 644 authorized_keys
- Place the RON account in group wheel (0) by editing
- Contact us by telephone ( +1.617.452.2821 ) to tell us the
root password on your machine, or give the RON account access
to root via 'sudo'. Note if you grant RON access to sudo,
you will need to give the account a real password, and
contact us to let us know what it is.
- Recompile your kernel (if necessary) with three kernel
If you already have a firewall configured on this machine,
you may not need to change these rules, and you will not want
to enable the "default to accept" option. Feel free to
contact us with specific configuration questions.
If your kernel does not have the bpf device
installed, you'll need to configure at least one of them.
Current FreeBSD kernels ship with bpf
enabled, but on older machines, you may need to add:
pseudo-device bpf 4
to your kernel configuration. In older kernels, the
bpf device was called bpfilter -
check in /usr/src/sys/i386/conf/LINT
to see which directive is appropriate for your system.
Why does RON need root access?
RON provides transparent encapsulation of ordinary IP traffic
by using the divert sockets found in the FreeBSD firewalling code,
in a manner similar to how a VPN or the FreeBSD NAT daemon works.
In order to obtain the traffic it encapsulates, RON must run as
root to bind a divert socket, and to open a raw IP socket on which
to re-inject its packets into the ordinary datastream.
Several utilities RON uses, such as fping
and tcping must also
run as root, because they also use raw sockets or BPF devices.
We have taken as many steps as possible to ensure that all
programs that run as root shed their privileges as soon as possible
after opening their raw network sockets.
Last modified: Tue Apr 3 18:02:36 EDT 2001