Phaeton/Roadster Development Project

Generously supported by the Community

Downloads

Shameless Begging

This software is free to download at no cost. Through your generosity, I've been able to procure a web host with a fat pipe to serve up Roadster's ISOs, the source tarballs and, in time, updates. Your continued support via PayPal will help ensure that I can continue to develop and enhance Roadster.

Roadster Downloads

• Current Roadster (Mark II, mod 1.0)
• Roadster Mark II, mod 1.0 (ISO, May 16, 2012, 244MiB, MD5:e00d0ef0d6c845842b16b5a6368df3e6)
• Roadster Mark II OffRoad (ISO, May 16, 2012, 33MiB, MD5:806bb59b6f161da9612eb829ed365074)

  This is a stripped-down version provided to enable you to explore your hardware and verify compatibility with Roadster without having to download the full 244MiB+ ISO.

News

16 MAY 2012 — Roadster Mark II, Mod 1 is released and available for download.

• Say ciao to syslinux. Grub (legacy) is now used for all booting (ISO, flash and system). It now polls both the VESA console and ttyS0 (COM A) on startup, allowing easy use of either a normal console or a serial port. As a relic of struggling to make Grub2 work, partition 5 is a 'grub boot' partition near the beginning of the disk.
• Without syslinux, the kernel's 'quiet' parameter now takes effect. Most of the the incomprehensible techno-goop displayed during startup is gone.
• Make_flash has been tweaked to enable you to set Grub's serial port baud rate.
• The installer has been tweaked to let you set the serial port baud rate.
• The installer now waits only six seconds for drives (IDE/SATA/USB) to become active and visible.
• The installer already allowed installing fresh, installing fresh with a restoration of previous variable data, and restoring the complete system. It now allows you to restore to different hardware. If the NICs have changed, it runs setup to allow you to reassign the NICs (and addresses). It also allows the filesystem to be changed between EXT3 and Reiserfs.
• Setup now prompts for the time zone. And, at long last, it defaults to US/Eastern timezone and US keyboard.
• Setup no longer prompts for 'openness'. The outbound firewall is now closed with the usual exceptions to make the system usable out-of-box. The new TOFC (see below) makes it easy to control outbound conns with good precision.
• Setup now runs writedhcp.pl instead of writing dhcpd.conf itself. PURPLE settings and GREEN reservations are no longer 'lost' when GREEN's DHCP is adjusted via setup.
• The system clock is now kept consistent with the hardware clock. Choosing a time zone other than UTC (GMT) now works.
• The system now positively identifies conns as incoming, outgoing or internal.
• The system now positively identifies conns as related. (Tech: iptables' RELATED state refers only to the first packet of a related conn.) This new CONNMARK flag, combined with the direction flag, allows TOFC to let related conns through.
• The netfilter chain responsible for dropping packets is now identified in the log file.
• The outgoing page was replaced with Stan's new TOFC. It is basically a rewrite of his SWE3 mod using modern features of iptables. With some other iptables magic, it is guaranteed to look at only packets for connections initiated from inside the protected LAN(s) and those for related conns. Time limits are enforced using iptables; when an existing conn 'passes into' a DENY period, its packets stop instantly. (Technically, when either end of the conn sends a packet when the conn has become 'denied', it will immediately receive a TCP Reset (for TCP conns) or an ICMP Admin Prohibited message.) Due to limits in netfilter, note that related conns may not be stopped; there can be little to nothing to relate a conn to an outbound port. If the web proxy (squid) is enabled (transparent or not), its port 800 is included in any port 80 rules that are generated.
• 'Backup/PnP' is another new feature. If you install via USB flash drive, the system configures the backup system to recognize that drive when plugged in and automatically runs both the 'var' and 'total' backups. So backing up before and after changes is now utterly painless.
• IPSEC VPN is a work in progress. It's still only site-to-site, but now has some explicit UI fields to handle NAT traversal.
• Many of smoothd's ails have been cured.
• Any program that fails and dumps core will have its core dump dropped into /var/log/coredumps with useful file names. A cron task will need to be added to keep this dir from taking over the filesystem.
• SmoothInfo tweaked; interface colors standardized and code pertaining to 'openness' removed.
• Beep2 now always sends its sound to tty1; audio prompts work even when using a serial console. (The rare system without any 'standard' console parts may not have audible prompts.)
• In smoothd, do not start DHCP if it has not been enabled.
• Incorporated SWE3's new ipbatch program.
• Various parts of the UI have been tweaked for better presentation.
• The TC UI was refined some more.
• Tweaked header.pm to allow an author to use a different CSS for a page.
• Fix the loooooong delay when using a static address on RED.
• There have been minor improvements to the build system.
• A couple more NIC drivers are built (atl1c and jme).
• Version bumps:
  • NetAddr-IP - 4.059
  • binutils - 2.21.1
  • clamav - 0.97.4
  • cnxadsl - 2.6-2.7
  • daq - 0.6.2 (always latest)
  • dnsmasq - 2.60
  • e2fsprogs - 1.42.2
  • ethtool - 2.6.36
  • expat - 2.1.0
  • gdp - 7.3.1
  • git - 1.7.9.6
  • jam - 3.1.18
  • libpng - 1.2.49
  • linux-atm - 2.5.2
  • lm_sensors - 3.3.1
  • logrotate - 3.8.1
  • man-pages - 3.38
  • miniupnpd - 1.6
  • module-init-tools - 3.15
  • ncurses - 5.9
  • ntp - 4.2.6p5
  • openswan - 2.6.38
  • pcre - 8.30
  • psmisc - 22.16
  • siproxd - 0.7.2
  • snort - 2.9.2.3 (always latest)
  • strace - 4.6
  • sudo - 1.8.2
  • tcl - 8.5.11
  • zlib - 1.2.6

Special Credits—Kudos to Stan (s-t-p) for the heavy lifting to port and integrate TOFC into Roadster; he started last August and finished in November. I spent the next few months ironing out the integration wrinkles. This was a major, intrusive change to the firewall that could not be released until it was nearly flawless. I believe the only thing that doesn't work is shutting down an existing related conn when time passes into a denied frame, when that conn is using random ports at both ends. If at least one port is mentioned properly in the rule, the conn should be shut down.

And, again, special thanks to Stephen (BoHiCa) for verifying internet sources of packages, testing and general support. He and Stan both catch bugs my neural paths have become numb to.

Thanks also to Gabe (gjdunga) for hosting a mirror of roadster.agcl.us. DNS is set up to switch between both hosts with every lookup. The load should be fairly well balanced between the two sites.

Finally, thanks to those who've tried to install Mark II and have patiently waited for solutions to the problems they encountered. While I haven't fixed all the problems, this is probably the smoothest release so far.

Known Problems and Oddities

• There may be cases where TOFC (really netfilter/iptables) is incapable of disconnecting a RELATED conn; all other time-frame-related disconnections succeed.
• Some NICs won't work because udev still does not handle firmware.
• Do not attempt to use the install flash medium for a manual backup. The script does not exclude it and both manual and auto backups will run; like 0/0, the result is undefined.
• While automatic backups work (after installing from flash), manual backups to a different flash drive may not work.
• Using the install flash with a manual backup may cause great confusion as *both* manual and automatic backups may try to run at the same time.
• You may occasionally encounter problems when restoring to a different filesystem (i.e., changing from reiserfs to ext3). Restore using the original FS to work around this problem.
• I haven't tested building Mark II Mod 1.0 on itself.
• The TC UI is known not to work on certain very modern browsers.

---

22 AUG 2011 — Roadster Mark II, Mod 0.2 is released and available for download.

• Parted is the sole partitioner. Bye-bye (s)fdisk.
• The GUID Partition Table (GPT) scheme is now standard. Partitioning is back to SWE3 (part's 1-4; the rest are available for other uses if you didn't use the entire disk when installing).
• Version bumps: Apache v2.2.19, Joe v3.7, Linux v2.6.35.14, OpenSWAN v2.6.35, gmp v5.0.2, xtables-addons v1.37, iproute2 v2.6.39, klibc v1.5.24, parted v3.0.
• Cleaned up bandwidthbars.cgi aesthetics. People susceptible to light-induced seizures should find the new presentation much more calm.
• New trafficControl (qos). Included schemes are 'Throttled with Exceptions' that throttles all unexcepted traffic and tries to guarantee fair division of bandwidth among all data flows, 'Stochastic Fair Queueing' for a simple scheme that should prevent any one data flow from hogging the bandwidth, and 'new' for those who wish to build a scheme from scratch. Documentation is still just about non-existent; the 'Throttled with Exceptions' scheme should serve an an example.
• The main status page, status.cgi, correctly reports TC (QoS) as 'on' if any TC other than the linux default (pfifo_fast) is active. In comparison, the stock SWE3 script looks only for HTB.
• Additions to interfaces.cgi (for the RED interface) allows one to override the ISP's MTU and DNS settings when DHCP is used. I think it should work for PPPoE, too.
• The updates mechanism is in place. I must define a 'policy' to make it work. I intend that updates are, in essence, point releases; installing the ISO for version x.y.z will be the same as installing the previous ISO and updating to version x.y.z. Backwards compatibility shouldn't be a problem because one can always have the installer perform a total restore to the previous running version; using the previous ISO to restore may be required for a 2.0.2->2.0.1 downgrade.
• I added a new script in .../build, host_debian_inst, to install the last needed packages on debian needed to build, as well as a few 'extras'. This will make it easier to set up a Debian system to build Roadster. BoHiCa says it works on Ubuntu, too.
• Dlverify now defaults to non-PASV mode for ftp fetches; the default 'Throttled with Exceptions' traffic control can make PASV ftp downloads of src packages painfully slow (56kbit) because both ports are way up in the high range. Like the other extensions, one can revert to PASV FTP mode with a command like [u]PASV= MIRROR_UNO=downloads make predownload[/u] if one's firewall doesn't handle non-passive mode.
• Added smartmontools to the build.
• Added yaml (for suricata) to the ISO; this was an oversight.
• Include root's .ssh dir to the var backup. I add keys so I don't have to type root's password 5000 times a day.
• Added test for presence of xz tools to host_check.sh because it's needed to unpack some source tarballs.

Known Problems and Oddities

• Udev still doesn't handle loading firmware; I haven't decided how to solve this particular problem yet. I may yet include the whole Debian udev and all the related libraries.
• TrafficControl isn't perfect when dealing with RED. It should use iptables commands only for classifying. It works for simple-ish schemes (IP/port) but will probably misbehave on more complex classifications. Fixing it may wait until I convert to using InterMediate Queue (IMQ) devices where the source and destination interfaces are always known; this should allow treating traffic inbound to RED, GREEN, PURPLE and ORANGE interfaces separately (i.e., throttle them at different rates, yielding much better control of slow links feeding into fast links.)
• Due to the change in partitioning, a full restore mayn't work unless you use a 2.0.0 or 2.0.1 ISO. Until now, P/R had been using partition 3 as an extended partition with /var/log residing on partition 5; the purpose was to allow the user to add more partition in the unused disk space (recall that the installer allow one to limit how much disk space is used; I usually limit my installs to 20000MiB or less). With GPT and its 255 or so partitions, that hack is no longer necessary. So the partitioning scheme has returned to the traditional SWE3 layout (1=boot, 2=swap, 3=var/log, 4=root).

---

8 MAY 2011 — Roadster Mark II, Mod 0.1 is released and available for download.

The sole development change involves pointing to roadster.agcl.us/downloads to fetch source tarballs. Roadster now installs on systems that use the HP/Compaq Smart Array RAID controller. Note: grub shell works on these controllers, but grub-install does not. Grub was patched to recognize the cciss device, but either it isn't quite correct, or grub-install uses a different method. This work uncovered a defect in partitioning; Mark II should now install on disks that do have other than 63 sectors per track.

---

11 APRIL 2011 — Roadster Mark II is released and available for download.

See the RC1 announcement (below) for an overview of the fixes and improvements. (The kernel was since bumped to v2.6.35.12.)

---

27 March 2011 — The Mark II Release Candidate is available for testing now.

I've been busy since February. Fixes and improvements include:

• Linux kernel: v2.6.35.11; OpenSwan: v2.6.33; Udev: v165; IPTables: v1.4.10
• Numerous other packages have been upgraded.
• Suricata is included, but is not configured or started and has no GUI.
• Most x86 laptops and PCCard NICs should now be supported.
• The problem with setup falling into a temporal loop has been fixed.
• The ISO boot splash now has instructions showing how to use the new boot disk features.
• If you have command line skills, you can boot to a shell and explore the hardware.
• If you want to install from flash, boot any computer using the ISO image and select the 'flash' option to prepare a bootable USB drive (flash or rotating).
• There is a semi-automated backup feature that lets you easily backup the variable data or the entire system to a USB drive. There is a feature package available for those who wish to upgrade their existing Roadsters. See the How About USB Backup thread for details.
• The installer allows you to restore the variable data (if upgrading) or restore the entire system if, heaven forfend, the new system doesn't work properly or you just don't like it. Some restrictions apply. See the forum for details
• Most fixed delays in startup are gone; it does a much better job waiting for specific things to happen.
• During startup, the NICs are now policed to zero bytes/sec to prevent DoS attacks either from the internet or self-induced). The police barricades are removed once the firewall is up and fully functional.

See the forum for all the details.

Old Roadster Downloads

• Roadster Mark II, mod 0.2 (ISO, August 22, 2011, 234MiB, MD5:c8c0903944f58f0851f571a9bc3d9114)
• Roadster Mark II OffRoad (ISO, August 22, 2011, 32MiB, MD5:9c6920ba1aa058df4a6aaaa731886450)
• Roadster Mark II, mod 0.1 (ISO, May 8, 2011, 233MiB, MD5:449b76c5f5a82a40d85be53c5d64e1bb)
• Roadster Mark II, mod 0.1 OffRoad (ISO, May 8, 2011, 32MiB, MD5:7ffb03e61cb959408f3ffae16cd6fec4)
• Roadster Mark II (ISO, Apr 11, 2011, 230MiB, MD5:0d7c4b568f98955a246ba56342751f27)
• Roadster Mark I, mod 3.1 (ISO; Feb 6, 2011, 216MiB, MD5:f129ce0a9c02d800eb93cd7ec918430b)
• Roadster Mark I, mod 3 (ISO; Jan 2, 2011, 212MiB, MD5:7d745a8c258ddb57440fee4fb8ccc87c)
• Roadster Mark I, mod 2 (ISO; Nov 3, 2011, 210MiB, MD5:cfbe82922b598c8a02910c5a258b16f0)