kb/protocols

Network protocols: BGP, OSPF, SSH, DNS, HTTP

Network protocols on Linux, both routing and application, with how they work and how to configure them: BGP and OSPF through FRR, an SSH server and its hardening, BIND as an authoritative DNS, Apache vhosts and TLS. Each protocol comes with a minimal config that actually runs.

14 статей в категории

§ статьи

apache-httpdApache httpd: the web serverApache httpd is a web server. On RHEL the package is `httpd`, config `/etc/httpd/conf/httpd.conf`. On Debian/Ubuntu the package is `apache2`, config `/etc/apache2/apache2.conf` + `sites-enabled/`.
bgpBGP: Border Gateway Protocol**BGP** is the routing protocol between autonomous systems (AS). It is the language ISPs and large networks use to exchange reachability information: which AS owns which prefixes and how to reach them.
bind-dns-serverBIND: Authoritative and Caching DNS ServerBIND (Berkeley Internet Name Domain) is the most widely deployed DNS server on Linux. The daemon is `named`, the config is `/etc/named.conf` or `/etc/bind/named.conf`, and control goes through `rndc`.
ftp-sftpFTP and SFTP: file transferFTP is an old protocol with control plus data connections (active/passive modes) and no encryption. SFTP is an SSH subsystem that shares nothing with FTP except the name. Today, use SFTP or [[cmd-rsync|rsync]].
ipsec-ikeIPsec and IKEv2: the enterprise VPN standardIPsec is the L3 VPN standard. ESP encapsulates and encrypts, IKEv2 exchanges keys. Tunnel mode adds a new IP header for site-to-site; transport mode stays host-to-host. On Linux this is strongSwan.
kerberosKerberos: network single sign-onKerberos is an SSO system built on tickets and time-based cryptography. You enter your password once (`kinit`) and get a TGT. After that the KDC issues service tickets in exchange for it. Core of AD and FreeIPA.
ldap-basicsLDAP: directory services fundamentalsLDAP is a query against a hierarchical directory. A DN is the coordinate of an object (cn=user,ou=People,dc=example,dc=com), bind is authentication, schema defines object classes and attributes. OpenLDAP/389-DS on Linux.
nfsNFS: Network File SystemNFS is a network file system from Sun. v3 is stateless, v4.1+ is stateful with delegations and pNFS. /etc/exports on the server, mount -t nfs on the client. root_squash, sync/async, and the lock manager are the main options.
openvpnOpenVPN: TLS-based VPNOpenVPN is a userspace TLS VPN built on X.509 certificates. Modes: tun (L3, default) or tap (L2). Supports UDP/TCP, push routes, per-user authentication, and TCP-443 as HTTPS camouflage. Heavier than [[wireguard|WG]].
ospfOSPF: Open Shortest Path First**OSPF** is a link-state IGP inside one autonomous system. Each router knows the full topology (LSDB) and independently computes shortest paths with Dijkstra. Convergence takes seconds.
quic-http3QUIC: Modern Transport over UDPQUIC is a transport over UDP. TLS 1.3 is built in (1 RTT, 0-RTT for resume). Multiplexing without head-of-line blocking. Connection migration (Wi-Fi to 4G without drop). HTTP/3 = HTTP semantics over QUIC.
smtp-mtaSMTP: MTA and Email DeliverySMTP is a text-based mail delivery protocol. Port 25/tcp is server-to-server, 587 is submission (client with auth), 465 is implicit-TLS legacy. MX record in DNS, STARTTLS+SPF+DKIM+DMARC is the standard stack.
sshSSH: Secure ShellSSH is an encrypted channel to a remote host: shell, file copy, port-forwarding. Standard port 22, authentication by keys or password.
wireguardWireGuard: Modern UDP VPNWireGuard is a UDP VPN built into the Linux kernel. A Curve25519 key pair, peers with AllowedIPs (both ACL and routing table). About 4000 lines of code versus millions in OpenVPN/IPsec. Flat config, no TLS, no certificates.

← вернуться ко всем категориям базы знаний