Coyote Linux 2.x FAQ

This document is intended to answer questions about the most recent release of Coyote Linux, but most of it is also applicable to earlier releases in the 2.x series. The previous version of this document covers Coyote Linux 1.x, which differs from CL 2.x in many areas.

This FAQ will remain free. You can copy it, use it, even abuse it... as long as you keep a link to Coyote Linux in, on, or around it anywhere you might post it.

Previous versions of this FAQ were maintained and hosted by Canuckle and Eric J, and their efforts are greatly appreciated. This should go without saying, but Joshua Jackson deserves hearty thanks for all his work in creating Coyote Linux and continuing to enhance it, and so do the various contributors and testers over the years. Dave Cinege and the other creators of the Linux Router Project - on which Coyote was originally based - are also appreciated, even if he doesn't feel that way.
-Todd VerBeek

Updated 2 Nov 2003

Introduction

For general information about what Coyote Linux is, see the official web site. For instructions on installing Coyote Linux and configuring it to work in your network environment, see the (PDF) pre-release documentation for Coyote Linux 1.4. (CL 1.4 was further modified before being released as CL 2.00.) Most of the information in that document applies to CL 2.x, with this document serving as a supplement or update of it. The Coyote Linux forums are a good resource for help. If you do not see your question or problem addressed in the documention or this FAQ, search the CL2 forum. If you still can't find an answer, please post a question in the forum, with all the pertinent information about your configuration and what you're trying to do.

Although Coyote Linux was designed to be easily installed, with little or no knowledge of Linux, much of the material in this FAQ will involve learning some of the basics of using the Linux operating system. Every effort will be made to keep this material as accessible to Linux newbies and advanced Windows users as possible.

You can link directly to any given question by copying the URL provided by the "" marker (like a blog permalink).

Requirements

Q: What are Coyote's hardware requirements?
A: It requires a PC-standard computer with a 1.44MB diskette drive, and two supported network cards (or one network card and a modem, for dial-up use). Most of the popular ISA and PCI network cards are supported. No hard drive is used. A 486DX CPU (any speed) and 12MB or more RAM are recommended. For PPPoE or an especially fast internet connection (i.e. several Mbps), a 66MHz or faster CPU is recommended. If you plan to use any add-ons, at least 16MB of RAM is recommended. Anything more than a Pentium I and 64MB RAM is probably wasted. A working Windows (95 or later) or full-distro Linux system is needed to create the initial boot diskette, and can be handy for later modifications, but is not needed for CL operation.

Q: But what are Coyote's minimum hardware requirements?
A: A bare-bones system can be built with just a traditional motherboard (no integrated peripherals), small power supply, video card (any kind), and the aforementioned two NICS and diskette drive (and controller if not on the motherboard). A case comes in very handy. A keyboard and monitor are recommended during configuration and testing, but are optional for production use; the video card needs to stay installed, and you should configure the system BIOS not to halt on keyboard errors if you won't be leaving the keyboard attached. Serial/parallel/USB ports, hard drive controllers, etc. are all superfluous. A 386SX CPU and 8MB RAM is the bare minimum for a Coyote Linux system to boot and operate indefinitely without crashing. A 16MHz CPU should be able to keep up with the traffic demands of a typical <1Mbps internet connection. 8MB of RAM will not allow the use of any add-ons, and in fact it would be a good idea to delete (or rename) the webadmin.tgz pacakge from the boot diskette, to save RAM for the core functions of the system. NOTE: The Windows disk builder does not include the necessary software components to create a diskette that will work on a 386 or 486SX platform (i.e. no math coprocessor); you must use the Linux scripts to build a boot diskette with FPU emulation.

Q: What operating systems will Coyote work with?
A: All of them. Although Coyote is a Linux-based system, an internet connection shared by a Coyote router can be used by nearly any modern operating system that uses TCP/IP networking. It is known to work with Windows 95/98/ME/NT/2000/XP/2003, MacOS 7/8/9, OS X, Linuxes, BSDs, commercial Unixes, Netware 5/6, OS/400, BeOS, plus many others.

Q: What kind of internet connections will Coyote work with?
A: Coyote Linux works with most cable modems, DSL connections, T1 and other leased lines, and other technologies that provide a standard ethernet connection. (It does not work with internal interface cards or USB-connected interfaces.) It supports statically-assigned IP addresses, DHCP, and PPPoE. It is also designed to work with dial-up (PPP) connections, though this capability is not quite functional in the current release.

Versions

Q: What versions of Coyote Linux are available?
A: There are currently two major versions of CL in widespread use: 1.x, which uses the Linux 2.2 kernel and ipchains security, and 2.x, which uses the Linux 2.4 kernel and iptables. Many add-ons or modifications for CL1 are not compatible with CL2 because of these differences. A few infrequently-used capabilities of CL1 have been left out of CL2, mostly to save the limited space available on the boot diskette. Unless there is a particular CL1 feature or CL1-compatible add-on that is not available in CL2, it is strongly recommended that you use CL2. CL1 is no longer being actively developed (1.32 is the last release at this writing), but is still supported by the CL community in the official CL1 forum. The current version at the time this document was last updated is Coyote Linux 2.02.

There are also two different tools for installing CL: a Microsoft-Windows-compatible disk-builder or "wizard", and a set of Linux-compatible scripts. The latest versions of each will produce nearly-identical CL boot diskettes with the same features. The Linux scripts offer a few installation options (higher diskette capacity, 386/486sx support) unavailable with the Windows tool. Note: the version number of the Windows disk builder does not match the version of Coyote Linux which it generates. For example, version 2.2.3 of the Windows tool creates a Coyote Linux 2.02 boot diskette, not "Coyote Linux 2.2.3". The Windows and Linux tools are both available for download here.

Vortech Consulting, the developer of Coyote Linux, also develops Wolverine, a commercial-grade firewall/VPN server, and has begun development of a Coyote-based wireless access point.

Q: I'm considering upgrading to the most current version of Coyote, but I want to know what's changed first. Where can I check?
A: See http://www.coyotelinux.com/files/dist/ChangeLog.txt to check the Changelog.

Q: How do I upgrade to the newest version?
A: Because Coyote is installed by building a new boot diskette from scratch, there is no direct way to upgrade a CL1 boot disk to CL2. If you are using an unmodified installation of CL1, you should be able to build a new CL2 diskette (keep the old one, just in case) and switch to that without difficulty. If you have set up port-forwarding using ipchains or ipmasqadm commands, or other such modifications, you will have to recreate those changes using the new Coyote rule system for portforwards.

To upgrade an earlier release of CL2 to the current release, you can build a new CL2 diskette, and copy the file coyote.cfg from the old disk to the new one; this will transfer all of your basic settings. If you copy the files firewall and portforward from the /etc/coyote directory from your pre-upgrade system and copy them back to your post-upgrade system (copying files to/from a Coyote system is discussed elsewhere in this document), the modifications made under options 5 and 6 on the console menu will be carried forward. Any changes to initialisation scripts will have to be re-implemented manually, because these tend to be updated with each new release. (Instead putting new commands in /etc/rc.d/rc.local makes it easier to carry them forward.) Any add-on packages you've installed will have to be added to the new disk, of course.

Getting Started

Q: Can I use two of the same NIC? I'm having problems with that.
A: That can make diagnosing problems rather difficult, so using different models is recommended. But there's no reason it can't work. One of the most common problems with ISA cards is that the IRQ and/or I/O address are set the same. Either change the jumpers (if it's really old) or use a software utility from the manufacturer to reconfigure the card(s). (Avoid IRQs 3,4,7 unless you've disabled the system's COM and LPT ports.) If you're still having trouble, or if you're using PCI cards, try swapping the cables on them. Maybe you guessed wrong which one was going to be used for the Internet and which one was for the LAN.

Q: Will a faster NIC (100Mbps, 1Gbps) improve the speed of my connection?
A: No. Even the fastest widely-available internet connections run at less than 10Mbps, which is the speed of the oldest standard ethernet cards. A state-of-the-art 1Gbps PCI card can't push the packets through your cable modem or DSL bridge any faster than an old ISA NE1000 can. It also doesn't make any appreciable difference whether you use a high-speed card on the LAN side of your Coyote box. If the rest of the machines on your local network have 100Mbps or 1Gbps NICs, and your hub supports those speeds, those machines will communicate with each other at those speeds, even if the line to the Coyote box is slower. Many people misunderstand the role of the "router", thinking that all network traffic gets routed through it. In fact, only traffic to and from the internet goes through it; local traffic goes directly from one local machine, to the hub/switch, to the other machine.

Q: I'm having problems with the 3Com 509 series NIC.
A: When making the Coyote Linux disk, don't specify the IRQ and I/O for 3C509 card; leave it to the module to detect the settings. If this approach doesn't work, 3Com's web site has downloadable utilities for these cards. The key ones are a DOS-compatible configuration program 3C5X9CFG.EXE to set the card's IRQ and I/O address manually, and a DOS batch file PNPDSABL.BAT to simply disable Plug-n-Play (requires the configuration program to be in the same directory).

Q: What if I can't find my NIC listed among the drivers Coyote supports?
A: It's possible that your card is supported by a driver that has a name you don't recognise. For example, many ISA cards are compatible with the ne driver, and many PCI cards are compatible with the ne2kpci, tulip, or via-rhine driver. Doing a web search for the name or model number of your NIC along with linux module will usually bring up some pages that refer to the proper driver by name. For example, the first page in a Google search for dfe-540tx linux module mentions tulip.o as the module name.

Q: What if the driver for my NIC simply isn't included with Coyote?
A: If there is a Linux driver written for your NIC, it can probably be compiled from the source code to work on a Coyote system. The easiest way to reliably compile a module for Coyote is to install the Coyote build environment on your Linux system and compile it with that. You can then add this module to the list of those supported by in the Linux installation scripts, or copy it to a working Coyote system by some other means.
If there is not a Linux driver coded for it, and it's a current piece of equipment, complain to the manufacturer.

Q: Can I use my old laptop as a Coyote router?
A: No, because Coyote doesn't support PCMCIA, USB, or parallel-port devices. (Even if the laptop has a built-in ethernet port that emulates a NIC that Coyote supports, you'd still need to add a second NIC somehow.) Although Coyote can't do it, a laptop with a hard drive and a couple of PCMCIA NICs, and loaded with a regular distro of Linux (which would give you all the basic tools included in Coyote) would make a nice platform to configure as a little router.

Q: Why won't Coyote Linux 2 connect to my dial-up PPP service?
A: Due to a lack of PPP-related feedback during the pre-release testing phase of CL2 (relatively few users have been using this functionality), and the fact that Joshua (the primary developer) doesn't have the ability to test it himself (he doesn't have a dial-up internet account), the dial-up capability remained broken in the first few releases of CL2. Most importantly, there is a key file missing from the current release, which can be added following these instructions. Search the CL2 forum for more info about this.

Q: Why isn't Coyote working with my modem?
A: Many modems sold today are designed to work only with Microsoft Windows; they are commonly called "winmodems". PCI modems also tend to use non-standard IRQ and I/O settings. Coyote is only able to support standard ISA modems, and external serial-port modems.

Q: My Coyote box is running and connects to the internet, and my Windows computer is connected to it. Why can't it see the Coyote machine or the internet?
A: If your computer is connected by just a cable run directly from one network card to the other, that won't work. Computer ports and hub ports are wired differently, and you can't connect two of the same kind of port to each other with a standard cable. For a direct computer-to-computer connection, you need to use a specially-wired "crossover cable" which swaps the wires around to make up for the different port wiring. You can buy one at any good computer hardware store, or ask your favorite techie to make you one (for a fraction of the price). Otherwise, if you're going to have more than one computer using the Coyote router, connect each computer to a shared hub, which solves this problem by putting a hub between the computers.

Q: Is there any way to network a few computers without a hub?
A: Sort of. You can network two computers together using a crossover cable, as described here. For more than two computers, you could install a separate network card in your Coyote for each computer, but this would require some hacking of the routing tables to get this to work. Another option is to install a combined internal switching hub/network interface card such as this one as the local interface (it uses the 8139too ethernet module) in your Coyote box. This would make your Coyote system functionally equivalent to (but far more configurable than) a commercial integrated "4-port router".

Q: Do I need to logon for Coyote to work?
A: No, leave Coyote at the logon prompt and it is completely functional.

Q: Do I need to change/add anything to make my e-mail or web browser work on my Windows, Mac, or Linux computer?
A: No changes to Coyote are necessary to allow these applications (and many others) to work on your clients.

Q: Coyote gives me a message saying "Entering Runlevel 3 Going multiuser... and then just hangs.
A: Let it sit there for a couple of minutes and it will probably continue. This is the symptom of the DHCP client failing to get an address.

Q: What does "Error getting address - ioctl() failed" mean?
A: It means that the interface is not up and doesn't have an IP address. If your ISP is making you use DHCP to get an IP address everytime you (re-)connect, then this error may appear while the interface is in the process of coming up and being assigned an IP address. So, I would say that at the time you got that error, you weren't actually connected.

Basic Functionality

Q: Where is the command line?
A: At the Configuration Menu, select option Q to quit and, you are at the command line. It should look like this:
coyote# _
..where the underscore is the cursor.

Q: I quit out of the configuration menu, how do I get back in?
A: Type menu at the command prompt, and press the Enter key.

Q: Is there a quick way to reboot the Coyote box?
A: Select option R on the console menu. In most circumstances, shutting off power to the machine and turning it back on again will restart the machine without any problem. Because Coyote doesn't use a hard drive and reloads itself from a backup copy on diskette every time you boot it, there is no need to worry about files being corrupted by an abrupt power cycling. The only time you should not do this is in the middle of doing a backup to diskette.

Q: Coyote doesn't have a GUI interface. How can I see what files Coyote has?
A: If you need to go beyond the options available on the Configuration Menu, you'll need to get accustomed to using the command line to navigate the system. Coyote Linux uses standard Unix shell commands. Here's a table of basic commands to get started with:



Command What the command does Closest Windows/DOS equivalent
cd [directoryname] Change Directory cd [directoryname]
ls List Stuff (easier to remember) dir
pwd Present Working Directory (none)
cp [filename] [destination] Copy copy [filename] [destination]
mv [filename/directory] [destination] Move (none)
rm [filename/directory] Remove permanently, delete del [filename]
mkdir [directoryname] Make a Directory mkdir [directoryname]
rmdir [directoryname] Remove a Directory rmdir [directoryname]
exit to log off/end session exit

Q: How can I change the date and time on the Coyote box?
A: Use the command date at the command line, which will handle both date and time. The format for this is:

date [OPTION] [MMDDhhmm[[CC]YY][.ss]]

So if you wanted to set the date and time to 06/20/01 5:59 PM, you would type it in like:

coyote# date 062017592001

That breaks into "0620 1759 2001" for easier reading, but remember that with the spaces is not how to enter the command - you'll get an error. Time is 24 hour format, AKA "military time". For anything past noon, add 12 hours to "clock time". e.g. 5:59 pm becomes 1759.

Q: What if the clock battery on the motherboard of my Coyote box is dead - is there another way to get the time to work?
A: If you copy the file /sbin/ntpdate (from another Linux system) onto the coyote box (via floppy) it will run quite happily and correct the system time (although to UTC).

Q: I can't find vi, joe, pico, emacs, ae, edlin, or any other editor I know! How do I edit a file?
A: Try edit [filename] :) This runs a microeditor called e3. (Emacs? On a floppy? I don't think so.)

Q: What keystrokes work in the editor?
A: Ctrl-S will save the file, and Ctrl-Q will quit the editor. Press Alt-H from the main edit screen to see a list of other keyboard commands; the caret (^) means Ctrl. If you want to exit without saving changes, press Ctrl-Q and answer N when asked if you want to save.

Q: I made changes to the file X, saved and rebooted, but the changes are gone. Why?
A: You need to write your changes to backup copy on the boot diskette. This is done by selecting option W on the console menu. This requirement to manually write changes is a security feature which makes it easy to restore the Coyote system to its correct configuration in the unlikely event that it gets cracked and hacked.

Q: I've added a file to Coyote or changed an existing file, and then used the W option to backup my changes. But the file is gone after I reboot. What happened?
A: Some files, particularly those which are not expected to ever change, are not updated by the write-to-diskette process. This process uses several .list files in /var/lib/lrpkg/ to identify which files should be stored in each .tgz package. If your file is in some way associated with one of the existing packages, edit the *.list file for that package and add the file(s) to the list. If your file is not part of any particular package, then it may be best to create your own package.

Q: Why do you have to include an empty line at the end of file?
A: It isn't so much that there needs to be an empty line as there needs to be a CR (null character) at the end of the last line... This is simply due to the way that files are parsed by the various scripts used by Coyote.

Q: How do I see how long my CoyoteLinux router has been up?
A: At the command line type uptime. Coyote is designed to run indefinitely without rebooting (hardware and power permitting).

Q: Can I change the ISP information (phone number or the IP from my ISP) without having to make another floppy?
A: (this answer has not been confirmed for CL2) Yes. You need to make alterations in the following files:
pap-secrets
chap-secrets
options
resolv.conf
Save the changes to the files and don't forget to write your changes to the floppy disk!

Q: How do I configure the system using WebAdmin?
A: The port for WebAdmin is 8180, so the URL would look like this: http://192.168.0.1:8180
(Change the IP to match the internal IP address of your Coyote box if you specified something other than the default.) See the documentation for more info about WebAdmin.

Advanced Functionality

Q: Does Coyote include a print/web/FTP/etc. server?
A: Short answer: It could, but it won't.

Longer answer, from Joshua Jackson (developer of Coyote Linux):

Many people have suggested that all sorts of features should be added to Coyote Linux (web server, ftp server, etc) claiming that they don't know how to use Linux and that Coyote Linux was so easy to set up. I don't support this view because Coyote Linux does what was intended to do - share an Internet connection. If you want a print server, web server, samba, ftp, or whatever, there are already distributions out there that provide these functions. If all of the feaures that people ask for were added to Coyote, setup of Coyote would be just like to any other distribution. If you want to use Linux for functions that Coyote does not support, you really should learn how to use a distribution that already has said feature and/or learn how to add it yourself. I will never add a print server, web server, etc to the base Coyote Linux distribution as it has absolutely nothing to do with sharing an Internet connection.

Coyote does run a few "servers", such as DHCP, SSH, and the web-based administrative interface, but only because they directly contribute to the core purpose of Coyote as a connection-sharing system, or make it easier to administer that function. Some of the peripheral (or even unrelated) features that people have asked for have been implemented independently of the core Coyote Linux distribution, as add-ons. These are discussed in the Packages section. A central guide to them is available at its main or backup location.

Q: How can I find out what Linux kernel version Coyote is running?
A: At the command line, type uname -a.

Q: What Linux devices does Coyote use for the different connections?
A: As follows:
eth0 is used for your local network (LAN)
eth1 is used for the internet (cable/xDSL/T1, static or DHCP)
ppp0 is used for the internet (56K dialup or PPPoE)

Note: Any mention of eth1 can be replaced with ppp0 for those with a dialup or PPPoE connection.

Q: I'm concerned about leaving the router connected to the Internet all the time. Can I force it to disengage and re-establish the connection?
A: To force the external interface down without shutting down the machine, use the ifconfig command. For example:
ifconfig eth1 down or
ifconfig ppp0 down

To bring it up again manually
ifconfig eth1 up or
ifconfig ppp0 up

Q: Where can I find the logs Coyote generates?
A: Press Alt-F4 on the console. Press Alt-F1 to get back to the original session.

Q: How do I make changes effective without rebooting?
A: If you have added the commands to your Masquerading or Firewall files, you can rerun them without rebooting (this is how you get the impressive uptimes). At a command prompt, type /etc/rc.d/rc.firewall. This is handy for testing, but keep in mind that you must write your changes to floppy if you want these commands to be saved, and executed next time you reboot the Coyote machine.

Q: I forgot my password, I can't logon to Coyote, can I get it back?
A: Keep in mind that Linux's passwords are CaSeSeNsItIvE, so be sure to test your password in variations to make sure it wasn't just a case of the Caps Lock key being enabled when you set the password. Coyote does run without logging on, so you don't need to rush to make a new disk.

There is a shell script included with the Linux version of the Coyote package which can be used to overwrite the password file on an existing diskette, replacing it with one that has no root password. Go to the utils/rmpassword directory in your Coyote scripts directory, view the README file, put the diskette you want to hack into the drive, and type ./rmpassword.sh. Put the disk back into the Coyote box, boot, and login as root (no password). Change your password to something you'll actually remember this time, by typing passwd at a command prompt.

Q: How do I prevent my screen from going black (screensaver)?
A: Type the following command at the command line:
echo -e "\33[9;0]"
To make this a permanent change, add this command to one of the startup scripts, such as: edit /etc/rc.d/rc.local

Q: How can I see the messages that were created on bootup?
A: At the command line, type dmesg | more.

Q: How do I telnet into my Coyote router?
A: Coyote does not support telnet access, due to security issues with the telnet protocol (most importantly, it transmits your password as clear text, which can be read by packet sniffers). Instead it supports access via SSH (secure shell) a protocol similar to telnet but with encryption.

To access the Coyote box from a Linux system on your LAN with SSH installed (most have it) type ssh -l root 192.168.0.1. You will be asked to confirm whether accept the server's public key as proof that it is the machine you're trying to access. When prompted, type the Coyote machine's password for root.

To access it from a Windows system, PuTTY is the recommended client to use. (Microsoft does not include a SSH client with Windows.) It's free of charge and can also be used as an improvement over Microsoft's telnet client. Type the Coyote routers' IP address into the field for "hostname" and click "open". Make sure it has port 22 (ssh) not 23 (telnet) selected. The nice part about PuTTY is that you can save this profile so you can have an entry called "Coyote" for instance. To use it, select "Coyote" in the Saved Sessions area, then click "Load" and finally "open" ... and simply login in as root (like you would when using a monitor) to continue to the Configuration Menu.

Q: SSH is really slow connecting to my Coyote box...
A: Edit the Coyote machine's /etc/hosts file to include a line for each machine that will connect to Coyote:
edit /etc/hosts

Add IPs and names for your PCs, similar to this example:
List of Hosts              Comments
127.0.0.1      localhost   #Do not change localhost
192.168.0.1    coyote      #example of hostname
192.168.0.98   notebook
192.168.0.99   kathie.local
(NOTE: Be sure to include an empty line at the end of the file.) The hosts file will enable the use of pinging by hostname from Coyote, and this fix will work even if you have DHCP running and the actual hostnames change, SSH just needs a hostname to resolve.

Q: Whenever I make an SSH connection from behind the Coyote box to somewhere external, I frequently get disconnected after being idle for anything more than 5 minutes. Why?
A: This is a default behaviour of IP masquerading. Any connection that passes no traffic for a certain time period is dropped... you can not turn this off (nor would you want to, the kernel connection tables would eventually fill up with dead connections), but you can adjust the time limits. See the Linux IP Masq docs for the commands necessary to do this. Alternatively, PuTTY has a keep-alive option.

Q: How do I transfer new files to my Coyote system?
A: There are several methods to accomplish this: installing an FTP client, copying them off a diskette, adding them to one of the existing .tgz files on the diskette, creating a new add-on package.

Q: Can Coyote be used as a Samba print server?
A: Not easily, and probably not very well. The main obstacle is the size of the print jobs, which Coyote simply doesn't have room to spool. Also, Coyote doesn't have parallel port support enabled in its kernel. A more feasible approach would be to use the non-spooling p910nd print server, which uses the same "raw sockets" protocol as HP's JetDirect™ devices, but no known implementation of this on Coyote has been reported.

Q: What can I do to block those annoying pop-up ads, like the X10 ones?
A: While it is possible to do this using Coyote's filtering, it's inefficient. Over time you will end up blocking 100's of domains. It's more effective to use the pop-up blocking capabilities of many modern web browsers.

Q: Can Coyote filter spam from unwanted sites?
A: No. Spam filtering can only be done effectively at the mail server (your ISP may already be running SpamAssassin there), or the mail client (Outlook, Mozilla Mail, Eudora, Apple Mail, Evolution, etc). Coyote is just a part of the road that spam travels on, and has no way of filtering that traffic based on content.

Q: Is modprobe available?
A: No. Coyote does not use the full modutils package.

Q: What are all these modules in /etc/modules? Can I remove them?
A: The ip_conntrack_* and ip_nat_* modules support various complex protocols that would otherwise fail to work with Coyote's Network Address Translation. While they do not pose any known security exploits and use very little memory, you may wish to remove them if you are certain you won't need support for those protocols. They are:

In most installations, the remaining modules correspond to the NICs installed in your system. 8390 is a module required by NE2000-compatible cards (and perhaps others) in addition to the card-specific module itself.

DHCP

Q: I want to always use the same IP for one computer, but I'm using DHCP. Is it possible?
A: The DHCP daemon in Coyote 2.x does not support statically-assigned IP addresses based on the machine's MAC address. If you want fixed addresses, you should set them on each machine instead of relying on DHCP to keep assigning them (After all, the "D" in "DHCP" stands for "dynamic".) If you require a combination of static and dynamically-assigned addresses, it's best to choose a block of addresses for each kind, and limit the DHCP server to use only the range you've assigned for that dynamic allocation. For example, to reserve addresses 1-99 for static nodes (such as the Coyote box, web servers, permanent workstations, or any machine that has to be at a constant IP address to allow port-forwarding), and to reserve addresses 100-254 for DHCP clients, include the following in your main configuration file:
DHCPD_START_IP=192.168.0.100
DHCPD_END_IP=192.168.0.254

Port Forwarding and Coyote Rules

Q: How do I run a [web/ftp/game/etc] server from behind Coyote?
A: Because Coyote's default behavior is to block all incoming requests for services, you need to tell Coyote to forward requests for those ports to a specific machine on your local network. Rather than requiring users to code and execute the necessary commands manuallly, Coyote uses a system of simple - but flexible - rules (I call them "Coyote Rules"). There are two methods to set these up: by editing the Coyote Rules file directly on the console, or by adding them via the WebAdmin browser-based interface.

Q: I have a domain name pointing at my static IP address, but when I type that into my browser, it doesn't work. I've tried using the external IP address, and that doesn't work either.
A: This is because that domain name is resolving to your external IP address, which is only accessible from the other side of your Coyote box. To correct that, add a dns parameter to whatever portforwarding commands you're using for that service. For example, if you want to use your external domain name to access your web server add dns to the rule forwarding port 80 (e.g. auto Y tcp 80 192.168.0.2 dns)

Q: I've used port forwarding to setup a web server on port 80, but it doesn't seem to work. What's wrong?
A: If you've added the Coyote Rule correctly (no typos, properly written-and-reloaded), and it's still not working, these are two possible explanations:

1) Your webserver is running on a box that has its own firewall software, configured to refuse connections from non-LAN addresses.

2) Your ISP is blocking incoming traffic on port 80 - Several ISPs are doing this now because of Code Red and similar viruses and exploits, but some ISPs do it to prevent or discourage their customers from running web servers. You could try running the server on a different port (like 8080), and include this in the URL you give to people (e.g. http://123.123.123.123:8080) or run the server itself on the standard port 80, but forwarding all requests for port 8080 to port 80 on your local webserver, using a rule such as: port Y 192.168.0.2 tcp 8080 80. You'd give people the same URL as the previous example.

Q: I want to run a web server on a different port because I already have one on port 80.
A: You can use port rules to change port numbers while forwarding requests to a particular machine. For example, if you want requests for port 8080 to be forwarded to the machine at 192.168.0.4 (which is listening on the standard port 80) add the following rule to the portforwards file:
port Y 192.168.0.4 tcp 8080 80
If you are actually running multiple web server processes on different ports, you can add rules to forward those additional ports to the server:
auto Y tcp 8080 192.168.0.4

Q: I forwarded ports for FTP, and my friend can connect, but he doesn't get a directory listing.
A: Have him try PASV(passive) mode on his client. If your friend is also behind a firewall/router, this may not work at all. FTP simply wasn't designed to pass through multiple levels of address translation.

Q: I'm sure I have the correct Coyote Rule, and it works fine on my local network, but still my game server/application won't work over the Internet. What's wrong?
A: Unfortunately, some protocols just won't work through Network Address Translation. They may require multiple machines on each side of the firewall to be able to address each other directly, and NAT doesn't allow that. Or they may require that machines on the internet be allowed to access unpredictable ports on your server, which is contrary to the way Coyote's firewall works. In those cases, your options include: A) Getting another IP address assigned by your ISP and connecting the machine that uses this protocol directly to the internet. B) Not using the software that requires that protocol.

If the problem is with software running on a Windows system, you can sometimes figure out what ports need to be opened using ZoneAlarm firewall software. Download the free version from their site and install it on a machine connected directly to the internet. Set ZoneAlarm to the highest security setting, and enable pop-up windows. Start the problematic application. ZoneAlarm should instantly alert you that an unknown program is trying to access the Internet and list the ports it's trying to use. Write that down and create Coyote Rules that match those ports.

Another possible solution is to investigate whether there are other router products out there which are known to work with this application. One place to look for reviews of hardware routers is PracticallyNetworked.com.

Q: Are there any suggestions for how to get IRC to work?
A: Many IRC servers send out an IDENT request to confirm that there is really a machine at the address you're coming from. If you set up a Coyote Rule to forward that request to your workstation (or any other machine that will capable of responding, such as a server), the IRC server will be satisfied.
auto Y tcp 113 192.168.0.2
auto Y udp 113 192.168.0.2

Q: I'm having problems getting ICQ to work. Can you help?
A: Configure the ICQ client program to "not use proxy", and specify a selected range of ports for it to listen to for incoming events, such as 20000 - 20015. Add a new port-forwarding rule on Coyote to direct these ports to that workstation, such as: auto Y tcp 2000:20015 192.168.0.2. Save it, and write your configuration to disk. If you have additional computers that use ICQ, you would want to do a port range of 20016 - 20030 for the next one, and so on. Each computer would also need its own portforwarding rule added.

Apparently there is a bug in ICQ versions 2001b and up. Even if you set ICQ to listen to the ports, it will not. This is remedied by selecting No proxy and reselecting Proxy and the ports to listen to.

Q: How do I get all the features of MS Messenger to work?
A: The following ports must be forwarded to the internal machine on which you wish to use MS Messenger: 389, 522, 1503, 1720, 1731, 8080.

Q: How do I enable the users on my LAN to receiving incoming Instant Messages?
A: You can only enable this for one specific machine on the LAN. Any of the users on your LAN can initiate an IM connection with someone outside, and Coyote can then keep track of which machine the replies should go to. But an incoming unsolicited IM won't identify which of the various machines on your LAN it's trying to reach, and Coyote has no way of deciding which machine to send it to... unless you tell it ahead of time, with a Coyote Rule that specifies a single machine to send them to. IM's are like a letter sent to a large apartment building, but with no room on the envelope for a name or apartment number; the doorman would have no way of knowing which apartment to send it to unless you tell him which... one.

Q: How do I open a certain port to all of my local machines?
A: It doesn't work that way. This is similar to the situation for enabling IM, above. To the outside world, all of your machines are clumped together into a single IP address, with no way of distinguishing one from another. This is an inevitable side-effect of Network Address Translation. If you have multiple machines that need to be accessible from the outside, you need to either use a different port for each one (which requires the outside user to know how to specify different ports) or get your ISP to assign you an IP address for each machine (which usually costs more money).

Q: Can I add another NIC to create a DMZ or another local network?
A: A project to add this capability to Coyote is underway. It will either be incorporated in a future release of Coyote or be written up as a separate "how to" document when it is working. Instructions for adding another NIC to support a second local network (with no routing between that network and the original local network) can be found here.

Q: Can I add another NIC and connect Coyote to two different internet connections (to increase speed or for redunancy)?
A: No. "Teaming" multiple connections to increase throughput can only be done with the active cooperation of your ISP, and if you're using more than one ISP (such as DSL and cable connections), it is not possible. "Load balancing" between multiple connections (including automatic fail-over) is more feasible (ISPs and other critical-availability sites do it all the time), but it requires the router to have a level of intelligence to determine which of the two available routes to use for a given outbound request. Coyote does not know how to do this. You might find this SlashDot discussion informative about the options for how this might be done.

Q: Can I assign multiple external IP addresses to Coyote?
A: Yes, but it requires a little script-hacking; full support of it is planned for an upcoming release.

Q: How do I block certain machines on my LAN from accessing the internet?
A: To block (for example) 192.168.0.11 from accessing any non-local IP addresses, add the following command to etc/coyote/firewall:
iptables -I autofw-acl -i eth0 -s 192.168.0.11 -d ! 192.168.1.0/24 -j REJECT

Q: How do I allow access to a service on my LAN only from a certain trusted machine on the internet?
A: To allow only (for example) 12.34.56.78 to access your web server at 192.168.0.2, do not forward this port using the regular Coyote Rules (which would open it to the general public). Instead add the following commands to etc/coyote/firewall. Change the port number to the appropriate value for other services.

iptables -A autofw-acl -i $IF_INET -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
iptables -t nat -A auto-forward -i $IF_INET -p tcp -s 12.34.56.78 --dport 80 -j DNAT --to 192.168.0.2

Q: How do I block access from a certain machine on the internet?
A: Use the following example of what to add to /etc/coyote/firewall:

#The next 4 lines create and maintain the block-acl chain
iptables -N block-acl 2>/dev/null
iptables -F block-acl 2>/dev/null
iptables -D FORWARD -j block-acl 2>/dev/null
iptables -I FORWARD -j block-acl 2>/dev/null

# Create as many block rules as needed:
# -p [protocol]
# -s [source_ip[/subnet]]
# -d [destination_ip[/subnet]]
# --dport [destination_port]
# -j <DROP> # Don't reply ("stealth")
# -j <REJECT> # Reply with port-unreachable ("closed")

iptables -A block-acl -i $IF_INET -p tcp -s 195.5.64.3 -d 192.168.0.10 --dport 80 -j DROP

Online Security

Q: How secure is Coyote?
A: While no Internet-connected machine is 100% safe, Coyote provides a moderate-to-strong degree of security for the computers that it shares an Internet connection with. Coyote Linux and other distributions like it that do not run services such as web, ftp, email, etc are as secure - or possibly more so - than commercially-offered home firewall/gateway solutions. By using Network Address Translation (NAT) to hide the true addresses of the internal computers (LAN hosts), by "stealthing" ports to partially hide the presence of your LAN from port-scanners, and by preventing any sort of direct connection from an Internet host to your LAN, Coyote provides the necessary security to enable such inherently-insecure services as Microsoft file/print sharing or Microsoft IIS with SQL Server, on your LAN. However, please note that by adding any portforwarding rules to Coyote, you are opening your LAN to additional risks. When a Coyote Rule allows access to an Internal computer, you then have to make sure that the service that is being exposed to the Internet is secure.

Q: Can Coyote "stealth" my ports?
A: By default, all external ports (except one) are already "stealthed". This means that if someone probes any of these ports, it will appear to them as if there were no machine at this address. This is more secure than the traditional response (used by CL1, for example), which would be to reply that the ports are "closed". By replying, that would confirm to the prober that there was a device here to (try to) crack into, and possibly provide some clues in the process indicating what kind of device it is. Not replying gives them no clues whatsoever. The only port that is not "stealthed" is port 22, which is responds as "open" to allow SSH access from external locations. If you add port-forwarding rules for a web or mail server, those ports will appear "open", "closed", or "stealth", depending on the status of the service on the machine you forwarded the port to.

Q: How do I stealth port 22?
A: Comment out (or remove) the line in /etc/coyote/firewall ("advanced firewall configuration" in the WebAdmin "port forwarding" page, or option 5 on the console menu) that includes the text --dport 22 -j ACCEPT.

Q: How do I enable pings of my Coyote box?
A: Incoming pings are ignored by Coyote, by default. There is a commented-out command in /etc/coyote/firewall ("advanced firewall configuration" in the WebAdmin "port forwarding" page, or option 5 on the console menu) that will tell Coyote to accept and reply to incoming pings. While this can be useful in troubleshooting your internet connectivity, it also provides confirmation to network probes that there is a machine at this address, reducing the "stealth" level of the system.

Alternate Media Support

Q: Can I run Coyote off of a Hard Drive?
A: No, because Coyote Linux does not include the IDE or SCSI drivers necessary for that. Coyote Linux was designed to load from a floppy. It is possible to modify Coyote to load from a hard drive, but it's important to understand that Coyote will not take advantage of that hard drive as a storage device. Coyote's main storage "device" is a virtual disk that it creates in RAM, and it doesn't use a physical disk (floppy or hard) for this purpose. The only time it will write anything to a disk is when you select option W on the console menu or the "Save Configuration" option on the WebAdmin interface, to backup your changes to the boot disk. So if you start loading a lot of additional files onto a Coyote system, it will need additional RAM to allow for this larger virtual hard drive. For example, if you want room on your Coyote system to store 10MB of files, loading it from a hard drive with >10MB of free space won't accomplish that; you need to add 10MB of RAM for that. Claudio Roberto Cussuol's CL 2 Add-Ons site has an IDE-enabled kernel and instructions for how to use it as a boot device.

Q: Can I run Coyote off of a CD-ROM Drive?
A: Yes, but it is an involved process and requires a full Linux system to create the boot CD. Something to keep in mind is that the configuration of such a system cannot be updated; you are creating a CD-ROM, as in "Read Only Memory". All of your configuration options, port-forwarding, or script modifications must be completed and tested before you create the CD. Also, it requires a system BIOS capable of booting from the CD drive. See this page for two sets of instructions for doing this that I've located. The above advisory about storage space and RAM that applies to using a hard drive as a boot device also applies to using a CD-ROM.

Q: How do I create a backup of my CoyoteLinux disk?
A: You can do this right on your running Coyote system. Use the Linux command dd (think "duplicate disk") to create a temporary image of your boot disk. From the command line:
dd if=/dev/fd0 of=/root/coyote.img
Take the boot diskette out of the drive and replace it with a blank one. Then use the next command to write the image to it:
dd if=/root/coyote.img of=/dev/fd0
Repeat the above command if you want to make multiple copies. Then delete the disk image:
rm /root/coyote.img
(I chose /root randomly, you can put it anywhere.)

Q: Is there a Windows program that I can use to Back Up Coyote?
A: CoyoteBack is a Windows (NT/2K/XP) GUI backup and restore utility for Coyote Linux floppies.

Q: How do you copy a floppy if you made it a non-standard size like 1.68MBk?
A: You do not need BIOS support or special media for 1.68MB or 1.72MB diskettes. You do need special media and drives for 2.88MB diskette. The technique used to format a 1.44MB diskette to a higher capacity works by increasing the number of tracks (also called cylinders) on the disk. This process makes disk access slower and a little less reliable. The only problems with this are that some older floppy disk drives don't read them properly. There are a few options available though:

There is a Windows formatting program called Maxi Disk that will allow you to format a floppy to 1.68MB. WinImage can do the same (and of course write diskette images to diskettes).

Q: What do I need if I want to do what Coyote Linux does, but on a full Linux distro?
A: Read http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html . Regarding the 2.4.x kernels, see http://www.e-infomax.com/ipmasq/howto/beta/c-html/index.html

Network Administration

Q: Is it possible to use only one NIC with Coyote? (AKA IP alias, multihome the NIC)
A: There have been reports of this being accomplished. However, it is not at all recommended, because it exposes your LAN directly to the internet, and has the potential to broadcast all sorts of "local" traffic onto your ISP's network. Spend the extra $10 on another NIC and do it right.

Q: I use dial-up/56k, and I'm having problems with the diald (dial on demand) in Coyote, especially it being triggered or staying connected when I don't want it to. Is there a way to control dial-up more directly?
A: Yes. See this site for a modified Coyote installation package made by Theodore B. Ruegsegger, which allows users on your LAN to connect and disconnect using commands to the Coyote box over SSH. It also allows easy switching between dial-up numbers.

Q: How can I find the external IP address my Coyote system is using?
A: The command getifaddr ppp0 will work for PPP or PPPoE. Use getifaddr eth1 for other types of connections. To stash this into a variable, use: EXTIPADDR=`getifaddr ppp0` NOTE: Those aren't single quote marks in the alias naming - they are the tick marks that can be found on the key shared with the ~ mark. The command won't work with single quotes!

The script ip-up is called when the PPP over Ethernet connection is successfully completed and has obtained an IP address. This ip-up script calls rc.masquerade (which in turn calls rc.firewall). Putting the above code into either of those will allow you to use $EXTIPADDR in ipchains and portforwarding rules, etc.

Q: Since using Coyote, my internet connection is slower...
A: That isn't a question. {smile}
There are a few possible reasons why this might be true, but if you are using online bandwidth testers for your basis please remember that online speed/bandwidth tests aren't that accurate. Things like server load, latency, cable quality etc can be the reasons for speed/bandwidth issues. You would practically need a sterile lab environment, but lab testing is difficult to compare to the real world. However they do provide a ballpark figure, and it is best to compare the results of a few text, because where a server is geographically to your location affects this as well. this site lists a few tests available as well as other possible tweaks. Odds are the gear between you and the server on the Internet is causing a greater impact on effective bandwidth than any of the software running on your router or PC, especially in the case of Coyote Linux. After all, Coyote Linux generally has nothing to do except pass packets back and forth, and a 33MHz 486 (for example) can handle broadband-internet-speed traffic pretty easily.

1. Because PPPoE requires substantially more processing than other networking methods, CPU performance can have an impact on performance. Anything over a 66Mhz should work fine.

2. The Maximum Transmittable Unit (MTU) could be set too high. You might consider contacting your ISP to find out what size MTU they use because you could be the victim of fragmentation. Fragmentation is what happens if the packet you send is larger than your ISP uses: it must be broken into pieces and linked via an additional packet of instructions for re-assembly by the destination receiver, making your connection slower. If you are using a smaller packet than your ISP, your connection is slightly slower than it could be.

3. Have you setup custom IPtables rules and port forwarding? The setup of these can take excessive CPU resources if done incorrectly. These are to be kept as brief as possible and to follow a logical flow so that the router isn't bogged with processing packets that it might not need to.

4. Don't block all ICMP packets. One type of ICMP packet is `fragmentation needed' which directly affects your MTU size, it may not be able to modify the MTU and slow you down.

5. Hardware; improper setup could have a huge effect on performance. Try more RAM, another machine, or possibly different LinuxRouter derivative to see if it really is Coyote that is the problem.

Q: Sometimes I see "eth1: tx interrupt but no status" or "eth1: rx interrupt but no status" in my daily logs. What does this mean?
A: "TX" means transfer and "RX" means receive. The message seems to mean that a status message was dropped or overwritten after a packet was sent - the driver just wasn't able to confirm that the packet was sent successfully after it got a message that the packet was sent successfully. This may or may not affect the reliability of your connection. No solution is known, but changing to a different model NIC might help.

Q: Can I change the MAC address of the NICs on the Coyote router?
A: Yes. This can be useful if your ISP records the hardware signature of your computer's NIC (to verify that you are a legitimate user of their service, and not just hacking onto their cable), and you want to insert a Coyote firewall between your computer and the ISP. Add the following command to /etc/rc.d/rc.local:
ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX:XX
substituting the actual hexadecimal MAC address you want the Coyote box to use for the X's.

NOTE: Some sources indicate that a card that has been told to use a different MAC address will not perform as quickly. Another alternative is to call your ISP and tell them you had to buy a new NIC, and let them record the MAC address of this one.

Q: Can I block access by the MAC address of a NIC?
A: Yes. See this forum thread for various approaches.

Q: Why are there no log files in /var/log?
A: Coyote doesn't write log files locally, to conserve its limited storage space. (There is no cron facility included to rotate log files). Instead, you can redirect log files to a remote machine running syslog.

Q: How do I redirect log files to a syslog server/daemon on another computer on my network?
A: There is an option during the setup process for a Coyote diskette where you can specify the address of a server configured to listen for remote syslogs. This can also be added later by adding to Coyote's main configuration file an line item: LOGGING_HOST= with the IP address of the machine that will be running syslogd. The standard unix-type syslog daemon must be started with the -r parameter to allow it to accept remote syslogs. The file /etc/init.d/syslog is usually the place where syslog is started.

Q: Is there a free/inexpensive syslog daemon available for non-unix systems?
A: Yes. See the table:

Win95/98/ME/NT/2000/XP/2003
TriAction (30 day trial, $30)
3Com (link is to a zip file)
Kiwi (freeware and pay versions)
Microtik
WinNT/2K/XP/2003 only
SL4NT (60 day trial, $95)
MacOS <=9
Netlogger (free shareware)

Add-Ons and Packages

Q: If Coyote Linux is based on the Linux Router Project (LRP), am I able to add other lrp modules?
A: Coyote was originally derived from LRP, but has undergone signficant changes. Although Coyote still has some of LRP's base scripts, for the most part it is no longer compatible with LRP. You will (at the very least) need to alter the init scripts for some packages and rebuild them as a .tgz.

Q: What add-on packages are available for Coyote Linux?
A: Claudio Roberto Cussuol's CL 2 Add-Ons site has packages and/or installation instructions for IDE support (to use a hard drive), ez-ipupdate (for DynDNS and other dynamic DNS services), IPTraf (traffic monitoring), additional busybox commands (wnc, get), cron (scheduling processes), an FTP client, an LCD driver, a web server, and more.

Q: I want to develop things for Coyote - is there anything I should be aware of or use?
A: The Coyote-Build package is what you should use. It is basically a rolled up package of the necessary components of the right versions from a Red Hat Linux system to allow you to compile your applications in a chroot'ed environment... this links them against the properly library versions to work on the Coyote floppy. Note: You may need to login as "root" to use this environment; merely doing a su root won't necessarily work.

Links For More Information

Q: Where can I find more information about Linux?
A: Start with these sites:


Hosting for this document is provided by Rzero.
Send updates/additions/corrections to coyote@rzero.com.